contain an embedded PE file

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: contain an embedded PE file
    namespace: executable/subfile/pe
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: file
      dynamic: file
    mbc:
      - Execution::Install Additional Program [B0023]
    examples:
      - Practical Malware Analysis Lab 01-04.exe_:0x4060
  features:
    - or:
      - count(characteristic(embedded pe)): 1 or more
      - count(string(This program cannot be run in DOS mode.)): 2 or more

last edited: 2023-11-24 10:34:28