See the warning at the top of https://yara.readthedocs.io/en/stable/modules/hash.html - all hashes are returned in lowercase.
-- WXS > On Feb 22, 2021, at 11:30 AM, Jonathan Livolsi <jlivo...@gmail.com> wrote: > > Hi, > > I am going through a lab to learn yara rules and have a simple problem but I > am not seeing why this might be happening. It is an online course and their > support doesn't help with this kind of stuff. I am just writing a simple > rule to check the MZ bits and the file hash for MD5, SHA1, and SHA256. > Nothing complicated about it. > > In this screenshot I have in my simple yara rule a check for the first bytes > of 5A4D and it works fine. I commented out the hash checks and in the > console you can see that I get a 1 returned because the rule matched. > <Capture1.JPG> > > In this screenshot I uncommented the hash checks and the rule fails to match. > If I comment out the strings and the check in the conditions but leave in > the hash (even just one at a time) the rule does not ever match. Yet in the > powershell prompt to the right I have the calculated hashed that I used in > the rule. Am I missing something? > <Capture2.JPG> > > Thanks for the help. > > > Jonathan > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com > <mailto:yara-project+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com > > <https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/16F6BF7C-921A-4B74-902C-5772C0687947%40atarininja.org.
