Open Babyhamsta opened 10 months ago
You might want to experiment with -w superrule-overlap
You might want to experiment with
-w superrule-overlap
I tried with -w 1, I just thought it was weird that they didn't group more. If I did some checking by hand with IDA and some plugins I bet I could find some matching opcodes/strings between them all.
I did notice it generated a super rule and it worked okay but wasn't super consistent for new samples or varied samples. It may be that I didn't have enough data but I used 35 samples.
did you check, if some of the samples don't fit to the group because they're a total different version, architecture, ... ?
maybe try with 10, which are about the same size or imphash?
did you check, if some of the samples don't fit to the group because they're a total different version, architecture, ... ?
maybe try with 10, which are about the same size or imphash?
I guess they could be packed differently. I know some were C# while others were single run C++ programs.
I noticed when I scanned 14 exe's all of the same malware family it outputted a rule for each EXE and none of the detections were that similar. Is there a way to create an overall rule based on the matching opcodes/strings between the large amount of exes so the full malware family is detected instead of having specific ones for each exe?
This may just be my ignorance on using the script. It seems inefficient to not do a single rule for the malware family. Both of these exe's are part of the RacoonStealer Family.
Example from two of the generated rules: