#100DaysofYARA 2024 – Day 9 – Ethereum Address

Peter YARA January 9, 2024January 9, 2024 1 Minute

Another cryptocurrency rule today, this time focused on matching Ethereum wallet addresses using regular expressions.

rule TTP_contains_ETH_address {
	meta:
		description = "Matches regex for Ethereum wallet addresses."
		last_modified = "2024-01-09"
        author = "@petermstewart"
        DaysofYara = "9/100"

	strings:
		$r1 = /0x[a-fA-F0-9]{40}/ fullword ascii wide

	condition:
		filesize < 5MB and
		$r1
}

After yesterday’s post I asked the #100DaysofYARA group on Twitter if they had any suggestions to decrease the performance hit of using regular expressions like this. Answer: use YARA-X (when it’s ready)

Use YARA-X! ¯_(ツ)_/¯

YARA-X does a better job at extracting fixed parts from the regexp that can be used to speed up scan. It's not production-ready yet, but I expect to release a first version in the upcoming months. https://t.co/2Jtd9ygrlY
— Victor M. Alvarez (@plusvic) January 8, 2024

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

Tagged
100DaysofYARA

Published by Peter

View all posts by Peter

Published January 9, 2024January 9, 2024

Leave a comment Cancel reply