Merge pull request #294 from Xyl2k/patch-2

Update MALW_AZORULT.yar

malware/MALW_AZORULT.yar

 /*
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
 */
- 
-rule Windows_Malware_Azorult : Azorult_V2
+
+import "cuckoo"
+rule Windows_Malware : Azorult_V2
     {
             meta:
                     author = "Xylitol xylitol@temari.fr"
                     date = "2017-09-30"
                     description = "Match first two bytes, strings, and parts of routines present in Azorult"
-                    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
+                    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819&p=30867"
                     // May only the challenge guide you
             strings:
                     $mz = {4D 5A}
@@ -19,5 +20,5 @@ rule Windows_Malware_Azorult : Azorult_V2
                     $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
                     $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
             condition:
-                    ($mz at 0 and all of ($string*) and ($constant1 or $constant2))
+                    ($mz at 0 and all of ($string*) and ($constant1 or $constant2) or cuckoo.sync.mutex(/Ad48qw4d6wq84d56as|Adkhvhhydhasdasashbc/))
     }