AnsweredAssumed Answered

PE imphash Inspection - Yara on Malware Analysis

Question asked by Chuck Kimber on Jul 10, 2019

I recently imported some custom yara rules into the Malware Analysis appliance.  These particular rules had a large condition set that relied on pe.imphash() so first off the .yara file has an import for pe, just to be sure:


import pe



A test of the rules compiles fine:

]# yara -v

yara 3.5.0
]# yara NW_imphash_test.yara dummy.txt




However when I dropped these yara sigs into the /watch folder they error on any lines that attempt to use the pe.imphash() yara function.  The conditions are all pretty simple:


    ( pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" or 8 of them )



I can't find any documentation that would indicate the 'import pe' shouldn't work, and the yara binary compiled fine in a test run, yet MA throws an error.

YaraFileWatch - Failed to process /var/lib/rsamalware/spectrum/yara/watch/NW_imphash_test.yara file. Reason: Traceback (most recent call last):
File "<stdin>", line 6, in <module>
yara.SyntaxError: /var/lib/rsamalware/spectrum/yara/tmp1234567890123(87): invalid field name "imphash"


Is there a trick to getting this level of pe inspection to work?