Update HotelAlfa.yara

3ec9332b · mmorenog · bf797b97 · 3ec9332b
Commit 3ec9332b authored Feb 25, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 9 deletions

HotelAlfa.yara malware/Operation_Blockbuster/HotelAlfa.yara +1 -9

No files found.
--- a/malware/Operation_Blockbuster/HotelAlfa.yara
+++ b/malware/Operation_Blockbuster/HotelAlfa.yara
@@ -20,15 +20,7 @@ rule HotelAlfa
 		72 EF     jb      short loc_4010B4
 	*/
-	$rscsDecoderLoop = {
+	$rscsDecoderLoop = {8A [2] 80 F1 ?? 88 [2] 8B [2] 40 3B ?? 72 EF}
-			8A [2] 
-			80 F1 ?? 
-			88 [2] 
-			8B [2] 
-			40 
-			3B ??
-			72 EF 
-		}
 	condition:
 		$resourceHTML and $rscsDecoderLoop in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))