search

Malshare / MalShare

http://www.malshare.com
22 stars 4 forks source link

Search yara hits other than YRP #69

Open rimuru1066 opened 2 years ago

rimuru1066 commented 2 years ago

It seems that every yara search for yrp/* works, but not for any other.

Example hash: 6d14bb5ee2d7b2ecb28530324e7452a48476c79f7ded0a5727035d74744e5772

It has a CuckooSandbox/shellcode tag in the Yara hits, but the search returns nothing.

silascutler commented 2 years ago

Had this exact same issue earlier this week. Thanks for the spot

Squiblydoo commented 1 month ago

This is to note that the problem seems to still exist. I was able to reproduce it by looking for any rule using the following sets. Or even putting "[rulename]/*". Each of the following return with No results. 

            "CuckooSandbox/*"  
            "FlorianRoth/*"    
            "KevTheHermit/*"
            "BAMFDetect/*"

Using "YRP/*" returns a message that says "YARA rule with this name could not be found", which is probably the correct and expected behavior. This suggests to me that the check for the existence of the YARA rules themselves for the other repositories is not working as expected.