From ec45b2611f46eb834f59338a8dc3c295b05dea7f Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Tue, 12 Nov 2024 15:03:36 +0000
Subject: [PATCH] SmokeLoader detection update

---
 data/yara/CAPE/SmokeLoader.yar | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/yara/CAPE/SmokeLoader.yar b/data/yara/CAPE/SmokeLoader.yar
index 46b2a12f721..988425e5421 100644
--- a/data/yara/CAPE/SmokeLoader.yar
+++ b/data/yara/CAPE/SmokeLoader.yar
@@ -7,8 +7,8 @@ rule SmokeLoader
     strings:
         $rc4_decrypt64 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
         $rc4_decrypt32 = {47 B9 FF 00 00 00 23 F9 8A 54 [2] 0F B6 C2 03 F0 23 F1 8A 44 [2] 88 44 [2] 88 54 [2] 0F B6 4C [2] 0F B6 C2 03 C8 81 E1 FF 00 00 00 8A 44 [2] 30 04 2B 43 3B 9C 24 [4] 72 C0}
-        $fetch_c2_64 = {84 ?? 74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0}
+        $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0 [6-10] 48 8D 05}
         $fetch_c2_32 = {8B 96 [2] (00|01) 00 8B CE 5E 8B 14 95 [4] E9}
     condition:
-        2 of them
+        2  of them
 }