bartblaze
commented
6 months ago Hi @cod3nym! Thanks for the report, can you share one of the files that have the FP?
Closed cod3nym closed 6 months ago
bartblaze
commented
6 months ago Hi @cod3nym! Thanks for the report, can you share one of the files that have the FP?
cod3nym
commented
6 months ago Here are a few false positives
9049b8ebbffcef5967628141b5cb5939560b8e6124e1364c304086e870f41fb9 8d8f8266e5cd6561059dade4dbe7d658109286ed6f0222e2c5e8737ed05d6c08 4efac3e1145cf849d7bbf5d8e362ac7a5d008b9b746684178a304f025375d97a e85a16b6bdae66ad119bc161d3df8a0b7d4a9d6935eecbffab1847a76e7d93f7
matching on these strings
$s1 = "{11111-22222-20001-00001}" ascii wide fullword
$s2 = "{11111-22222-20001-00002}" ascii wide fullwordAs previously explained the strings are artifacts from .NET Reactor you can also verify this by obfuscating an executable yourself.
bartblaze
commented
6 months ago Solved now with a few commits, last one being 2df9502. Thanks again for your report / support!
https://github.com/bartblaze/Yara-rules/blob/master/rules/crimeware/PureCrypter.yar
This rule is inaccurate the strings used for detection, are generic artifacts of the commercial .NET Reactor obfuscator.
The image below shows a quick search with 2 of the strings from your rule, which results in a number of random malware and legitimate apps obfuscated with .NET Reactor. The rule does not detect the targeted malware but binaries obfuscated with .NET Reactor.
For more info about .NET Reactor detection check https://unprotect.it/technique/net-reactor/