obfuscated with vs-obfuscation

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: obfuscated with vs-obfuscation
    namespace: anti-analysis/obfuscation
    authors:
      - jakub.jozwiak@mandiant.com
    scopes:
      static: file
      dynamic: file
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Anti-Static Analysis::Executable Code Obfuscation [B0032]
    references:
      - https://github.com/Tai7sy/vs-obfuscation
    examples:
      - efd1a86330cecba5d8d038fba65ac8e76955ed724986aa87cd6ca9f72f6941c7
  features:
    - or:
      - string: "DefWindowProcW1222_test"
      - and:
        - string: "Module: %s"
        - string: "Find function HeapAlloc"
        - string: "Function: %s"
        - string: "Hash: %u"
        - string: "Can't find function"

last edited: 2023-11-24 10:34:28