Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PE signatures and other details incorrectly parsed #2054

Closed
kulinacs opened this issue Mar 14, 2024 · 1 comment
Closed

PE signatures and other details incorrectly parsed #2054

kulinacs opened this issue Mar 14, 2024 · 1 comment
Labels
bug

Comments

@kulinacs
Copy link

Describe the bug

Yara is not correctly parsing PE metadata for MSHTA.EXE (e616c5ce71886652c13e2e1fa45a653b44d492b054f16b15a38418b8507f57c7), including not correctly identifying VersionInfo data and signatures.

To Reproduce

Run the following Yara rules against e616c5ce71886652c13e2e1fa45a653b44d492b054f16b15a38418b8507f57c7.

import "pe"

rule is_pe
{
    condition:
        pe.is_pe
        and pe.version_info["OriginalFileName"] == "MSHTA.EXE"
}

import "pe"

rule is_pe
{
    condition:
        pe.is_pe
        and pe.number_of_signatures > 0
}

Expected behavior

The rules to match

Screenshots

N/A

Please complete the following information:

  • OS: Linux
  • YARA version: [e.g. 4.2.2]

(issue is also present in the version of Yara used by VirusTotal)

Additional context

N/A
@kulinacs kulinacs added the bug label Mar 14, 2024
@kulinacs kulinacs changed the title PE signatures and other details incorrectly parsedd PE signatures and other details incorrectly parsed Mar 14, 2024
@kulinacs
Copy link
Author

Closing - the file isn't signed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kulinacs