I don't quite understand why you think it might not detect it.
Text strings are not required to have an even number of digits. The hex
equivalent to that string would be: {62 63 39 62 37 35 61 33 31 31 37 37 35 38
37 32 34 35 33 30 35 63 64 34 31 38 62 38 64 66 37 38 36 35 32 64 31 63 30 33
65 39 64 61 30 63 66 63 39 31 30 64 36 64 33 38 65 65 34 31 39 31 64 34 30}. As
long as the string appears in a file, it should match.
I'd have to have the actual sample file in order to say anything more about it.
-Al-
On Sun, Aug 12, 2018 at 04:56 AM, Alessandro Vesely wrote:
> I'd be curious to know if NCCIC's Yara rule would detect it, because of:
>
> strings:
> // This is a "text" string, although it looks like a hex dump
> // (except for having an odd number of digits)
> $n =
> "bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40"
>
> (Recall that hex strings in Yara require curly braces, for example:
> $h =
> {bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d400}
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
