Skip to content

Commit

Permalink
More Formbook tweaks
Browse files Browse the repository at this point in the history
  • Loading branch information
@kevoreilly
kevoreilly committed Mar 20, 2024
1 parent 2f3b267 commit 7b76419
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions analyzer/windows/data/yara/Formbook.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ rule Formhelper
cape_options = "clear,bp2=$config,action2=scan,count=0"
packed = "0270016f451f9ba630f2ea4e2ea006fb89356627835b560bb2f4551a735ba0e1"
strings:
$config = {40 55 53 56 57 41 54 41 55 41 56 41 57 48 8D AC 24 [4] 48 81 EC [2] 00 00 45 33 F6 33 C0 4C 8B E9 4C 89}
$config = {40 55 53 56 57 41 54 41 55 41 56 41 57 48 8D AC 24 [4] 48 81 EC [2] 00 00 45 33 ?? 33 C0 4C 8B E9 4C 89}
$decode = {66 66 66 66 0F 1F 84 00 00 00 00 00 0F B6 41 01 48 FF C9 28 41 01 49 FF C9}
condition:
all of them
Expand Down Expand Up @@ -78,8 +78,8 @@ rule FormconfC
cape_options = "clear,bp0=$c2,hc0=1,action0=string:rcx+1,bp1=$decoy,action1=string:rcx+1,count=0,typestring=Formbook Config"
packed = "0270016f451f9ba630f2ea4e2ea006fb89356627835b560bb2f4551a735ba0e1"
strings:
$c2 = {49 8D 95 [2] 00 00 49 8D 8D [2] 00 00 41 B8 07 00 00 00 E8 [4] 49 8B CD 45 88 B5 [2] 00 00 E8 [4] 33 C0}
$decoy = {45 3B B5 [2] 00 00 [0-7] 44 8D 1C 33 48 8D 7D [1-5] 42 C6 44 [2] 00 [0-4] 48 8B CF E8}
$c2 = {49 8D 95 [2] 00 00 49 8D 8D [2] 00 00 41 B8 07 00 00 00 E8 [4] 49 8B CD 45 88 [3] 00 00 E8 [4] 33 C0}
$decoy = {48 8B CF E8 [4] 48 8B D7 44 8B C0 49 8B 85 [4] 49 8D 8C 04 [2] 00 00 E8 [4] 48 8B CF E8}
condition:
all of them
}

0 comments on commit 7b76419

Please sign in to comment.