Skip to content

Commit

Permalink
SmokeLoader detection update
Browse files Browse the repository at this point in the history
  • Loading branch information
@kevoreilly
kevoreilly committed Nov 12, 2024
1 parent 46db06a commit ec45b26
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions data/yara/CAPE/SmokeLoader.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ rule SmokeLoader
strings:
$rc4_decrypt64 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
$rc4_decrypt32 = {47 B9 FF 00 00 00 23 F9 8A 54 [2] 0F B6 C2 03 F0 23 F1 8A 44 [2] 88 44 [2] 88 54 [2] 0F B6 4C [2] 0F B6 C2 03 C8 81 E1 FF 00 00 00 8A 44 [2] 30 04 2B 43 3B 9C 24 [4] 72 C0}
$fetch_c2_64 = {84 ?? 74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0}
$fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0 [6-10] 48 8D 05}
$fetch_c2_32 = {8B 96 [2] (00|01) 00 8B CE 5E 8B 14 95 [4] E9}
condition:
2 of them
2 of them
}

0 comments on commit ec45b26

Please sign in to comment.