最近virustotal中发现一个Darkside家族样本满足yara规则如下：

rule Unspecified_Malware 
{
   meta:
		description = " "
		license = " "
		author = " "
		reference = " "
		date = " "
		hash = "243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60"
   condition:
		uint16(0) == 0x5a4d 
		and filesize < 200KB 
		and pe.imphash() == "17a4bd9c95f2898add97f309fc6f9bcd"
}

其中pe.imphash() == "17a4bd9c95f2898add97f309fc6f9bcd"其主要作用，imphash是对PE文件的导入表计算hash值，具体原理可以google一下。

具体可以使用python来计算，代码如下：

import pefile

pe=pefile.PE("D:\\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60")
print pe.get_imphash()

输出：'17a4bd9c95f2898add97f309fc6f9bcd'