valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: FPs with kernel32.dll

Browse Source
This commit is contained in:
Florian Roth 2020-10-06 14:56:35 +02:00
parent 7a1cda01ba
commit 10d608c738
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
yara/gen_anomalies_keyword_combos.yar
View File

@ -15,8 +15,12 @@ rule SUSP_NullSoftInst_Combo_Oct20_1 {
$b1 = "Microsoft Corporation" wide fullword $b1 = "Microsoft Corporation" wide fullword
$b2 = "Apache Software Foundation" ascii wide fullword $b2 = "Apache Software Foundation" ascii wide fullword
$b3 = "Simon Tatham" wide fullword $b3 = "Simon Tatham" wide fullword
$fp1 = "nsisinstall" fullword ascii
$fp2 = "\\REGISTRY\\MACHINE\\Software\\" wide
condition: condition:
uint16(0) == 0x5a4d and uint16(0) == 0x5a4d and
filesize < 2000KB and filesize < 2000KB and
$a1 and 1 of ($b*) $a1 and 1 of ($b*) and
not 1 of ($fp*)
} }