Volatility3 MCP Server

/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Contains_hidden_PE_File_inside_a_sequence_of_numbers : maldoc { meta: author = "Martin Willing (https://evild3ad.com)" description = "Detect a hidden PE file inside a sequence of numbers (comma separated)" reference = "http://blog.didierstevens.com/2016/01/07/blackenergy-xls-dropper/" reference = "http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/" date = "2016-01-09" filetype = "decompressed VBA macro code" strings: $a = "= Array(" // Array of bytes $b = "77, 90," // MZ $c = "33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46," // !This program cannot be run in DOS mode. condition: all of them }