stvemillertime/Cerebro_FALLCHILL_common_PE_strings.yar

## Cerebro_FALLCHILL_common_PE_strings.yar
rule Cerebro_FALLCHILL_common_PE_strings
{
    strings:
        $ThisprogramcannotberuninDOSmode_fallchill = "Tsrh kiltian xammlg yv ifm rm DOS nlwv"
        $ThisprogrammustberununderWin32_fallchill = "Tsrh kiltian nfhg yv ifm fmwvi Wrm32"
        $abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_fallchill = "ayxwvutsrqponmlkjihgfedcbzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
        $ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_fallchill = "ABCDEFGHIJKLMNOPQRSTUVWXYZayxwvutsrqponmlkjihgfedcbz0123456789+/" nocase
        $0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_fallchill = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZayxwvutsrqponmlkjihgfedcbz+/" nocase
        $msvcrtdll_fallchill = "nhexig.woo" nocase
        $VCRUNTIME140dll_fallchill = "VCRUNTIME140.woo" nocase
        $IsDebuggerPresent_fallchill = "IhDvyfttviPivhvmg" nocase
        $RaiseException_fallchill = "RarhvEcxvkgrlm" nocase
        $MultiByteToWideChar_fallchill = "MfogrBbgvTlWrwvCsai" nocase
        $WideCharToMultiByte_fallchill = "WrwvCsaiTlMfogrBbgv" nocase
        $UnhandledExceptionFilter_fallchill = "UmsamwovwEcxvkgrlmFrogvi" nocase
        $SetUnhandledExceptionFilter_fallchill = "SvgUmsamwovwEcxvkgrlmFrogvi" nocase
        $GetCurrentProcess_fallchill = "GvgCfiivmgPilxvhh" nocase
        $TerminateProcess_fallchill = "TvinrmagvPilxvhh" nocase
        $IsProcessorFeaturePresent_fallchill = "IhPilxvhhliFvagfivPivhvmg" nocase
        $QueryPerformanceCounter_fallchill = "QfvibPviulinamxvClfmgvi" nocase
        $InitializeSListHead_fallchill = "ImrgraorzvSLrhgHvaw" nocase
        $GetStartupInfoW_fallchill = "GvgSgaigfkImulW" nocase
        $GetModuleHandleW_fallchill = "GvgMlwfovHamwovW" nocase
        $GetLastError_fallchill = "GvgLahgEiili" nocase
        $HeapAlloc_fallchill = "HvakAoolx" nocase
        $HeapFree_fallchill = "HvakFivv" nocase
        $GetProcessHeap_fallchill = "GvgPilxvhhHvak" nocase
        $GetCurrentProcessId_fallchill = "GvgCfiivmgPilxvhhIw" nocase
        $GetCurrentThreadId_fallchill = "GvgCfiivmgTsivawIw" nocase
        $GetSystemTimeAsFileTime_fallchill = "GvgSbhgvnTrnvAhFrovTrnv" nocase
        $VirtualQuery_fallchill = "VrigfaoQfvib" nocase
        $VirtualAlloc_fallchill = "VrigfaoAoolx" nocase
        $FreeLibrary_fallchill = "FivvLryiaib" nocase
        $GetProcAddress_fallchill = "GvgPilxAwwivhh" nocase
        $xmlversion10encodingUTF8standaloneyes_fallchill = "cno evihrlm='1.0' vmxlwrmt='UTF-8' hgamwaolmv='bvh'" nocase
        $assemblyxmlnsurnschemasmicrosoftcomasmv1manifestVersion10_fallchill = "<ahhvnyob cnomh='fim:hxsvnah-nrxilhlug-xln:ahn.e1' namruvhgVvihrlm='1.0'>" nocase
        $trustInfoxmlnsurnschemasmicrosoftcomasmv3_fallchill = "<gifhgImul cnomh=\"fim:hxsvnah-nrxilhlug-xln:ahn.e3\">" nocase
        $security_fallchill = "<hvxfirgb>" nocase
        $requestedPrivileges_fallchill = "<ivjfvhgvwPirerovtvh>" nocase
        $requestedExecutionLevellevelasInvokeruiAccessfalse_fallchill = "<ivjfvhgvwEcvxfgrlmLvevo ovevo='ahImelpvi' frAxxvhh='uaohv' />" nocase
        $requestedPrivileges_fallchill2 = "</ivjfvhgvwPirerovtvh>" nocase
        $security_fallchill2 = "</hvxfirgb>" nocase
        $trustInfo_fallchill = "</gifhgImul>" nocase
        $assembly_fallchill = "</ahhvnyob>" nocase
        $ContentTypeapplicationoctetstream_fallchill = "Clmgvmg-Tbkv: akkorxagrlm/lxgvg-hgivan" nocase
        $ContentLength_fallchill = "Clmgvmg-Lvmtgs: %" nocase
        $MicrosoftBaseCryptographicProviderv10_fallchill = "Mrxilhlug Bahv Cibkgltiaksrx Pilerwvi e1.0" nocase
    condition:
        any of them
}
	rule Cerebro_FALLCHILL_common_PE_strings
	{
	strings:
	$ThisprogramcannotberuninDOSmode_fallchill = "Tsrh kiltian xammlg yv ifm rm DOS nlwv"
	$ThisprogrammustberununderWin32_fallchill = "Tsrh kiltian nfhg yv ifm fmwvi Wrm32"
	$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_fallchill = "ayxwvutsrqponmlkjihgfedcbzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
	$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_fallchill = "ABCDEFGHIJKLMNOPQRSTUVWXYZayxwvutsrqponmlkjihgfedcbz0123456789+/" nocase
	$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_fallchill = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZayxwvutsrqponmlkjihgfedcbz+/" nocase
	$msvcrtdll_fallchill = "nhexig.woo" nocase
	$VCRUNTIME140dll_fallchill = "VCRUNTIME140.woo" nocase
	$IsDebuggerPresent_fallchill = "IhDvyfttviPivhvmg" nocase
	$RaiseException_fallchill = "RarhvEcxvkgrlm" nocase
	$MultiByteToWideChar_fallchill = "MfogrBbgvTlWrwvCsai" nocase
	$WideCharToMultiByte_fallchill = "WrwvCsaiTlMfogrBbgv" nocase
	$UnhandledExceptionFilter_fallchill = "UmsamwovwEcxvkgrlmFrogvi" nocase
	$SetUnhandledExceptionFilter_fallchill = "SvgUmsamwovwEcxvkgrlmFrogvi" nocase
	$GetCurrentProcess_fallchill = "GvgCfiivmgPilxvhh" nocase
	$TerminateProcess_fallchill = "TvinrmagvPilxvhh" nocase
	$IsProcessorFeaturePresent_fallchill = "IhPilxvhhliFvagfivPivhvmg" nocase
	$QueryPerformanceCounter_fallchill = "QfvibPviulinamxvClfmgvi" nocase
	$InitializeSListHead_fallchill = "ImrgraorzvSLrhgHvaw" nocase
	$GetStartupInfoW_fallchill = "GvgSgaigfkImulW" nocase
	$GetModuleHandleW_fallchill = "GvgMlwfovHamwovW" nocase
	$GetLastError_fallchill = "GvgLahgEiili" nocase
	$HeapAlloc_fallchill = "HvakAoolx" nocase
	$HeapFree_fallchill = "HvakFivv" nocase
	$GetProcessHeap_fallchill = "GvgPilxvhhHvak" nocase
	$GetCurrentProcessId_fallchill = "GvgCfiivmgPilxvhhIw" nocase
	$GetCurrentThreadId_fallchill = "GvgCfiivmgTsivawIw" nocase
	$GetSystemTimeAsFileTime_fallchill = "GvgSbhgvnTrnvAhFrovTrnv" nocase
	$VirtualQuery_fallchill = "VrigfaoQfvib" nocase
	$VirtualAlloc_fallchill = "VrigfaoAoolx" nocase
	$FreeLibrary_fallchill = "FivvLryiaib" nocase
	$GetProcAddress_fallchill = "GvgPilxAwwivhh" nocase
	$xmlversion10encodingUTF8standaloneyes_fallchill = "cno evihrlm='1.0' vmxlwrmt='UTF-8' hgamwaolmv='bvh'" nocase
	$assemblyxmlnsurnschemasmicrosoftcomasmv1manifestVersion10_fallchill = "<ahhvnyob cnomh='fim:hxsvnah-nrxilhlug-xln:ahn.e1' namruvhgVvihrlm='1.0'>" nocase
	$trustInfoxmlnsurnschemasmicrosoftcomasmv3_fallchill = "<gifhgImul cnomh=\"fim:hxsvnah-nrxilhlug-xln:ahn.e3\">" nocase
	$security_fallchill = "<hvxfirgb>" nocase
	$requestedPrivileges_fallchill = "<ivjfvhgvwPirerovtvh>" nocase
	$requestedExecutionLevellevelasInvokeruiAccessfalse_fallchill = "<ivjfvhgvwEcvxfgrlmLvevo ovevo='ahImelpvi' frAxxvhh='uaohv' />" nocase
	$requestedPrivileges_fallchill2 = "</ivjfvhgvwPirerovtvh>" nocase
	$security_fallchill2 = "</hvxfirgb>" nocase
	$trustInfo_fallchill = "</gifhgImul>" nocase
	$assembly_fallchill = "</ahhvnyob>" nocase
	$ContentTypeapplicationoctetstream_fallchill = "Clmgvmg-Tbkv: akkorxagrlm/lxgvg-hgivan" nocase
	$ContentLength_fallchill = "Clmgvmg-Lvmtgs: %" nocase
	$MicrosoftBaseCryptographicProviderv10_fallchill = "Mrxilhlug Bahv Cibkgltiaksrx Pilerwvi e1.0" nocase
	condition:
	any of them
	}