Today’s rule again uses regular expressions to match cryptocurrency wallet addresses – this time it’s Monero.
rule TTP_contains_XMR_address {
meta:
description = "Matches regex for Monero wallet addresses."
last_modified = "2024-01-10"
author = "@petermstewart"
DaysofYara = "10/100"
strings:
$r1 = /4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}/ fullword ascii wide
condition:
filesize < 5MB and
$r1
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 