packed with Huan

rule:
  meta:
    name: packed with Huan
    namespace: anti-analysis/packer/huan
    authors:
      - jakub.jozwiak@mandiant.com
    scopes:
      static: file
      dynamic: file
    att&ck:
      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
    mbc:
      - Anti-Static Analysis::Software Packing [F0001]
    references:
      - https://github.com/frkngksl/Huan
    examples:
      - 378ecc1b2e60129c9f06bb6bb8042f2b95feca5f526a4c26a5c39707807fa259:0x140048000
  features:
    - or:
      - section: .huan
      - string: "[+] IAT Fix starts..."
      - string: "     [+] Import by ordinal: "
      - string: "     [+] Import by name: "
      - string: "[!] There is a problem in relocation directory"
      - string: "[!] No Relocation Table and Cannot load to the preferable address"
      - string: "[+] All headers are copied"
      - string: "[+] All sections are copied"