Skip to content

R
rules
Commit 2d10ec78 by mmorenog
Options

Update LimaDelta.yara

parent bba6b142
Showing with 1 additions and 15 deletions
malware/Operation_Blockbuster/LimaDelta.yara
...@@ -39,21 +39,7 @@ rule LimaDelta ...@@ -39,21 +39,7 @@ rule LimaDelta
83 C3 46 add ebx, 46h 83 C3 46 add ebx, 46h
*/ */
$authenicateBufferGen = { $authenicateBufferGen = {BB 01 74 ?? FF 15 [4] 99 B? 32 00 00 00 F7 ?? 8B ?? 8D [3] 5? 5? E8 [4] 83 C4 08 83 ?? 46}
BB 01
74 ??
FF 15 [4]
99
B? 32 00 00 00
F7 ??
8B ??
8D [3]
5?
5?
E8 [4]
83 C4 08
83 ?? 46
}
condition: condition:
$authenicateBufferGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) $authenicateBufferGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment