packed with Themida

rule:
  meta:
    name: packed with Themida
    namespace: anti-analysis/packer/themida
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: file
      dynamic: file
    att&ck:
      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
    mbc:
      - Anti-Static Analysis::Software Packing::Themida [F0001.011]
    references:
      - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
    examples:
      - 8a132663bee5c2f0f5cbfebee1b55ac72934632bf32bc32d6e2dae797c9e6e35
      # see capa #1104 - 2826b762b9c268601a44974ef469a671b441e798a6c3cbb40070450c6c030ba2
  features:
    - or:
      - section: Themida
      - section: .Themida
      - section: .themida
      - section: WinLicen
      - section: .winlice
      - count(section(        )): 2 or more
        description: Section names containing 8 space characters observed in Themida 3.0.x packed files
      - and:
        - description: Section names containing 3 and 8 space characters observed in Themida 2.1.x packed files
        - section: "   "
        - section: "        "