100 Days of YARA – Day 33: Murmur Hash

Murmur Hash is another non-cryptographic hash function, similar to CRC32. This algorithm is simple to implement and has been observed in several malware samples, including Cerber ransomware, Sage ransomware, and KPOT stealer: https://pinboard.in/u:droberson/t:murmur3/

This rule takes a similar approach to the CRC32, MD5, and SHA256 rules from earlier in this series by searching for constants used in this algorithm’s implementation:

rule murmurhash_constants
{
	meta:
		author = "Daniel Roberson"
		description = "mmh3 constants"

	strings:
		$c1 = { 512d9ecc }
		$c2 = { 9335871b }
		$c3 = { 646b54e6 }
		$c4 = { 35aeb2c2 }

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 33: Murmur Hash”

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

One thought on “100 Days of YARA – Day 33: Murmur Hash”

Leave a Reply Cancel reply