aslefhewqiwbepqwefbpqsciwueh/obfuscated_autoit_injector.yar

## obfuscated_autoit_injector.yar
rule obfuscated_autoit_injector
{
  meta:
    author = "MhicRoibin"
    date = "2024-01-09"
    description = "Detects Obfuscated Autoit script, usually used for injection"
    sample = "aae989743dddc84adef90622c657e45e23386488fa79d7fe7cf0863043b8acd4"
  strings:
    $a = "FileExists"
    $b = "ACos("
    $c = "Func"
    $d = "AutoItX64"
    $e = "PixelGetColor"
    $f = "ASin("
    $g = "Dec("
    $h = "Chr("
    $i = "ATan("
    $j = "DriveStatus("
    $k = "Execute("
    $l = "Sqrt("
  condition:
    all of them
}
	rule obfuscated_autoit_injector
	{
	meta:
	author = "MhicRoibin"
	date = "2024-01-09"
	description = "Detects Obfuscated Autoit script, usually used for injection"
	sample = "aae989743dddc84adef90622c657e45e23386488fa79d7fe7cf0863043b8acd4"
	strings:
	$a = "FileExists"
	$b = "ACos("
	$c = "Func"
	$d = "AutoItX64"
	$e = "PixelGetColor"
	$f = "ASin("
	$g = "Dec("
	$h = "Chr("
	$i = "ATan("
	$j = "DriveStatus("
	$k = "Execute("
	$l = "Sqrt("
	condition:
	all of them
	}