Update and rename RomeoFoxtrot.yara.error to RomeoFoxtrot_mod.yara

malware/Operation_Blockbuster/RomeoFoxtrot.yara.error → malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara

+// This rule has been modified by @mmorenog @yarules to fix some errors
+
 import "pe"
 
 
@@ -45,7 +47,8 @@ rule RomeoFoxtrot
 		FF D7                    call    edi ; setsockopt								<--- this could be a relative call in some variants
 	*/
 
-		$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] (FF 15 [4] | E8 [4]) 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 (FF 15 [4] | E8 [4]) 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4]) 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4])}
+		//$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] (FF 15 [4] | E8 [4]) 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 (FF 15 [4] | E8 [4]) 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4]) 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4])}
+		$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] FF 15 [4] 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 FF 15 E8 [4] 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? FF D? 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? FF D?}
 		$response = "RESPONSE 200 OK!!!"
 
 	condition: