MD5 match with #Yara #Malware #Virustotal using HASH or VT

Today faced a different problem when using Yara. Task is to find some file based on different rules and then check if it is matching with few known MD5 IOCs. Looks simple, so define the constant, then create the condition and after finding bit on the internet, found following can be defined in Yara to look after MD5 file hashes

hash.md5(0, filesize) == “XXXXXXXXXXXXXXXXXXXXXXXXXXX”

So, as example

import “hash”

 
rule find_hash {

 
meta:

description = “hash matching"
 

condition:

IsPE and

filesize < 350KB and

hash.md5(0, filesize) == “XXXXXXX”

}

should work. 1st received few errors. But found a better method and with vast option if you are having virustotal API.

import "vt"

rule find 
{
meta:
author = "Krish"
description = "XXX payload"

strings:
$s1 = "XXXX" 
fullword ascii$s2 = "XXXX" 
fullword ascii

condition:
uint16(0) == 0x5a4d and ($mutex or (all of ($ua*) and 2 of them) or 6 of ($s*)) and 

vt.metadata.md5 == "XXXXX" or
vt.metadata.md5 == "XXXXX"

A lot more filters can be used as well. FYI https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt