valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Adjusted Nanocore Rule

Browse Source 
- false positives with certain IRC DLL
This commit is contained in:
Florian Roth 2016-04-22 17:43:58 +02:00
parent 83d080688e
commit be8609a15c
1 changed files with 0 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
yara/apt_nanocore_rat.yar
View File

@ -23,7 +23,6 @@ rule Nanocore_RAT_Gen_1 {
$x5 = "$374e0775-e893-4e72-806c-a8d880a49ae7" fullword ascii /* score: '7.00' */ $x5 = "$374e0775-e893-4e72-806c-a8d880a49ae7" fullword ascii /* score: '7.00' */
$x6 = "remove_Pong" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.51' (binarly: 5.51) */ $x6 = "remove_Pong" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.51' (binarly: 5.51) */
$x7 = "Monitorinjection" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.67' (binarly: -3.33) */ $x7 = "Monitorinjection" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.67' (binarly: -3.33) */
$x8 = "PongEventHandler" fullword ascii /* PEStudio Blacklist: strings */ /* score: '11.44' (binarly: 1.44) */
condition: condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of them ) ) or ( all of them ) ( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of them ) ) or ( all of them )
} }