AnsweredAssumed Answered

PE imphash Inspection - Yara on Malware Analysis

Question asked by Chuck Kimber on Jul 10, 2019

I recently imported some custom yara rules into the Malware Analysis appliance.  These particular rules had a large condition set that relied on pe.imphash() so first off the .yara file has an import for pe, just to be sure:

 

import pe

--------

 

A test of the rules compiles fine:


]# yara -v

yara 3.5.0
]# yara NW_imphash_test.yara dummy.txt

]#

--------

 

However when I dropped these yara sigs into the /watch folder they error on any lines that attempt to use the pe.imphash() yara function.  The conditions are all pretty simple:

condition:

    ( pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" or 8 of them )

--------

 

I can't find any documentation that would indicate the 'import pe' shouldn't work, and the yara binary compiled fine in a test run, yet MA throws an error.

YaraFileWatch - Failed to process /var/lib/rsamalware/spectrum/yara/watch/NW_imphash_test.yara file. Reason: Traceback (most recent call last):
File "<stdin>", line 6, in <module>
yara.SyntaxError: /var/lib/rsamalware/spectrum/yara/tmp1234567890123(87): invalid field name "imphash"
--------

 

Is there a trick to getting this level of pe inspection to work?

Outcomes