YARAhub
You are currently viewing the YARAhub entry of the YARA rule SUS_Unsigned_APPX_MSIX_Installer_Feb23. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.
YARA Rule Details: SUS_Unsigned_APPX_MSIX_Installer_Feb23
| Rule name: | SUS_Unsigned_APPX_MSIX_Installer_Feb23 |
|---|---|
| Author: | SECUINFRA Falcon Team (@SI_FalconTeam) - @SI_FalconTeam |
| Description: | Detects suspicious, unsigned Microsoft Windows APPX/MSIX Installer Packages |
| Reference MD5: | 69660f5abb08fc430cf756a44d19e039 |
| Likes: | 1 |
| Reference Link : | n/a |
| Malpedia Family : | n/a |
| Date added: | 2023-02-01 |
| Rule Matching TLP : | TLP:WHITE |
| Rule Sharing TLP : | TLP:WHITE |
| License : | https://creativecommons.org/licenses/by/4.0/ |
| UUID: | 3eaac733-4ab9-40e1-93fe-3dbed6d458e8 |
| Static hits: | 3 |
| Unpacker hits: | 0 |
YARA Rule Content
The content of the YARA rule is shown below.
rule SUS_Unsigned_APPX_MSIX_Installer_Feb23
{
meta:
author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
description = "Detects suspicious, unsigned Microsoft Windows APPX/MSIX Installer Packages"
reference = "https://twitter.com/SI_FalconTeam/status/1620500572481945600"
date = "2023-02-01"
tlp = "CLEAR"
yarahub_reference_md5 = "69660f5abb08fc430cf756a44d19e039"
yarahub_uuid = "3eaac733-4ab9-40e1-93fe-3dbed6d458e8"
yarahub_license = "CC BY 4.0"
yarahub_rule_matching_tlp = "TLP:WHITE"
yarahub_rule_sharing_tlp = "TLP:WHITE"
yarahub_author_twitter = "@SI_FalconTeam"
strings:
$s_manifest = "AppxManifest.xml"
$s_block = "AppxBlockMap.xml"
$s_peExt = ".exe"
// we are not looking for signed packages
$sig = "AppxSignature.p7x"
condition:
uint16be(0x0) == 0x504B
and 2 of ($s*)
and not $sig
}
YARA Rule Matches
The following table shows the most recent files matching this particular YARA rule.
| First seen (UTC) | SHA256 hash | Static matches | Unpacker matches |
|---|