Fix false mis-detection

CAPESandbox · Dec 30, 2023 · e131a12 · e131a12
1 parent b35d60d
commit e131a12
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 16 deletions.
diff --git a/data/yara/CAPE/MetaStealer.yar b/data/yara/CAPE/MetaStealer.yar
@@ -0,0 +1,25 @@
+rule MetaStealer {
+    meta:
+        author = "ditekSHen"
+        description = "Detects MetaStealer infostealer"
+        cape_type = "MetaStealer Payload"
+    strings:
+        $s1 = "! #\"'&(&*)>=@?POQOROSOTOUOVOWOXOYOZO[O^]{z|z}z~z" fullword wide
+        $s2 = "{0}{1}{2}" fullword wide
+        $s3 = "localhost" fullword wide
+        $s4 = "\\tdata" fullword wide
+        $s5 = "DecryptBlob" fullword ascii
+        $s6 = "GetMac" fullword ascii
+        $s7 = "GetHdc" fullword ascii
+        $s8 = "FindProc" fullword ascii
+        $s9 = "targetPid" fullword ascii
+        $s10 = "MessageSecurityOverTcp" fullword ascii
+        $s11 = "ListOfProcesses" fullword ascii
+        $s12 = "ListOfPrograms" fullword ascii
+        $s13 = "browserPaths" fullword ascii
+        $s14 = "configs" fullword ascii
+        $s15 = "scanners" fullword ascii
+        $s16 = "FileScannerRule" fullword ascii
+    condition:
+        uint16(0) == 0x5a4d and 7 of ($s*)
+}
diff --git a/data/yara/CAPE/RedLine.yar b/data/yara/CAPE/RedLine.yar
@@ -134,21 +134,6 @@ rule RedLine {
         $v6_4 = "AppData\\Roaming\\ //settString.Replaceing[@name=\\UString.Replacesername\\]/vaString.Replaceluemoz_cookies" wide
         $v6_5 = "<GetWindowsVersion>g__HKLM_GetString|11_0" fullword ascii
         $v6_6 = "net.tcp://" fullword wide
-        // variant
-        $v7_1 = "! #\"'&(&*)>=@?POQOROSOTOUOVOWOXOYOZO[O^]{z|z}z~z" fullword wide
-        $v7_2 = "{0}{1}{2}" fullword wide
-        $v7_3 = "localhost" fullword wide
-        $v7_4 = "\\tdata" fullword wide
-        $v7_5 = "DecryptBlob" fullword ascii
-        $v7_6 = "GetMac" fullword ascii
-        $v7_7 = "GetHdc" fullword ascii
-        $v7_8 = "FindProc" fullword ascii
-        $v7_9 = "targetPid" fullword ascii
-        $v7_10 = "MessageSecurityOverTcp" fullword ascii
-        $v7_11 = "ListOfProcesses" fullword ascii
-        $v7_12 = "ListOfPrograms" fullword ascii
-        $v7_13 = "browserPaths" fullword ascii
-        $v7_14 = "configs" fullword ascii
     condition:
-        (uint16(0) == 0x5a4d and (all of ($s*) or 2 of ($x*) or 7 of ($u*) or 7 of ($pat*) or (1 of ($x*) and (5 of ($u*) or 2 of ($pat*))) or 5 of ($v2*) or 4 of ($v3*) or (3 of ($v2*) and (2 of ($pat*) or 2 of ($u*)) or (1 of ($vx4*) and 5 of ($v4*)) or 5 of ($v4*) or 6 of ($v5*)) or 5 of ($v6*) or (4 of ($v6*) and 3 of them ) or (7 of ($v7*)))) or ((all of ($x*) and 4 of ($s*)) or (4 of ($v6*) and 4 of them))
+        (uint16(0) == 0x5a4d and (all of ($s*) or 2 of ($x*) or 7 of ($u*) or 7 of ($pat*) or (1 of ($x*) and (5 of ($u*) or 2 of ($pat*))) or 5 of ($v2*) or 4 of ($v3*) or (3 of ($v2*) and (2 of ($pat*) or 2 of ($u*)) or (1 of ($vx4*) and 5 of ($v4*)) or 5 of ($v4*) or 6 of ($v5*)) or 5 of ($v6*) or (4 of ($v6*) and 3 of them ))) or ((all of ($x*) and 4 of ($s*)) or (4 of ($v6*) and 4 of them))
 }