Yara rule for detecting SeroXen obfuscated batch files:

rule SeroXen_BatCloak_Engine_A {
meta:
author = "Peter Girnus (Zero Day Initiative)"
url = "https://www.trendmicro.com/"
license = "MIT"
sha1sum = "f3efddae3a05e0ee4a0fb3232fda113676eef43c5fcab1b223e7ece392cce95e"
description = "This YARA rule detects BatCloak obfuscated SeroXen batch files."
strings:
// @echo off
$eoff = "@echo off"


// obfuscated @echo off
$eobf1 = /%[a-zA-Z]+%o\s+of["']/ nocase
$eobf2 = /%[a-zA-Z]+%@ech["']/ nocase


// batch variable
$var = /%[a-zA-Z]{4}%"/


// batch variable concat
$cvars = /(%[a-zA-Z]+%){8,}/


// pe .exe
$pe = "MZ"


condition:
$eoff at 0
and all of ($eobf*)
and #var > 128
and #cvars > 2
and not $pe at 0
}