100 Days of YARA – Day 46: NirSoft MailPassView

On By DanielIn 100 days of Yara

NirSoft’s MailPassView is another abused tool.

Note that this rule is more performant than the previous NirSoft rules because of the filesize check. This makes it more likely to match on MailPassView itself but may produce false negatives for samples that bundle this software.

rule mailpassview
{
	meta:
		description = "NirSoft MailPassView"
		reference = "https://www.nirsoft.net/utils/mailpv.html"

	strings:
		$ = "IncrediMail" wide
		$ = "NirSoft" wide
		$ = "PassView" wide

	condition:
		uint16(0) == 0x5a4d and filesize < 1MB and all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 46: NirSoft MailPassView

  1. Pingback: Week 06 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s