From ccb8a6488a4726fd2642d8e7cd2cc9129443cead Mon Sep 17 00:00:00 2001 From: shu-tom <8147599+shu-tom@users.noreply.github.com> Date: Mon, 16 Aug 2021 11:48:16 +0900 Subject: [PATCH] Fixed FP for Emotet yara rule #17 --- utils/emotetscan.py | 5 ++--- yara/rule.yara | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/utils/emotetscan.py b/utils/emotetscan.py index cc58a7d..2e479c0 100644 --- a/utils/emotetscan.py +++ b/utils/emotetscan.py @@ -36,12 +36,11 @@ strings: \ $v4a = { BB 00 C3 4C 84 } \ $v4b = { B8 00 C3 CC 84 } \ - $v5a = { 69 01 6D 4E C6 41 05 39 30 00 00} \ - $v5b = { 6D 4E C6 41 33 D2 81 C1 39 30 00 00 } \ + $v5a = { 6D 4E C6 41 33 D2 81 C1 39 30 00 00 } \ $v6a = { C7 40 20 ?? ?? ?? 00 C7 40 10 ?? ?? ?? 00 C7 40 0C 00 00 00 00 83 3C CD ?? ?? ?? ?? 00 74 0E 41 89 48 ?? 83 3C CD ?? ?? ?? ?? 00 75 F2 } \ $v7a = { 6A 06 33 D2 ?? F7 ?? 8B DA 43 74 } \ $v7b = { 83 E6 0F 8B CF 83 C6 04 50 8B D6 E8 ?? ?? ?? ?? 59 6A 2F 8D 3C 77 58 66 89 07 83 C7 02 4B 75 } \ - condition: all of ($v4*) or $v5a or $v5b or $v6a or all of ($v7*)}' + condition: all of ($v4*) or $v5a or $v6a or all of ($v7*)}' } # MZ Header diff --git a/yara/rule.yara b/yara/rule.yara index b2e54ab..97ac4c5 100644 --- a/yara/rule.yara +++ b/yara/rule.yara @@ -167,13 +167,12 @@ rule Emotet { strings: $v4a = { BB 00 C3 4C 84 } $v4b = { B8 00 C3 CC 84 } - $v5a = { 69 01 6D 4E C6 41 05 39 30 00 00 } - $v5b = { 6D 4E C6 41 33 D2 81 C1 39 30 00 00 } + $v5a = { 6D 4E C6 41 33 D2 81 C1 39 30 00 00 } $v6a = { C7 40 20 ?? ?? ?? 00 C7 40 10 ?? ?? ?? 00 C7 40 0C 00 00 00 00 83 3C CD ?? ?? ?? ?? 00 74 0E 41 89 48 ?? 83 3C CD ?? ?? ?? ?? 00 75 F2 } $v7a = { 6A 06 33 D2 ?? F7 ?? 8B DA 43 74 } $v7b = { 83 E6 0F 8B CF 83 C6 04 50 8B D6 E8 ?? ?? ?? ?? 59 6A 2F 8D 3C 77 58 66 89 07 83 C7 02 4B 75 } - condition: all of ($v4*) or $v5a or $v5b or $v6a or all of ($v7*) + condition: all of ($v4*) or $v5a or $v6a or all of ($v7*) } rule SmokeLoader {