Update Stealc.yar (#2674)

bartblaze · web-flow · commit 0cecf1e256c7 · 2025-08-21T08:29:49.000+02:00
diff --git a/data/yara/CAPE/Stealc.yar b/data/yara/CAPE/Stealc.yar
@@ -1,3 +1,4 @@
+import "pe"
 rule Stealc
 {
     meta:
@@ -9,7 +10,9 @@ rule Stealc
         $nugget1 = {68 04 01 00 00 6A 00 FF 15 [4] 50 FF 15}
         $nugget2 = {64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 8B 00 8B 40 18 89 45 FC}
     condition:
-        uint16(0) == 0x5A4D and any of them
+        uint16(0) == 0x5A4D 
+        and not (pe.imports("tier0.dll") or pe.imports("msdart.dll")) 
+        and any of them
 }
 
 rule StealcV2

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+import "pe"`
`1`	`2`	`rule Stealc`
`2`	`3`	`{`
`3`	`4`	`meta:`
`@@ -9,7 +10,9 @@ rule Stealc`
`9`	`10`	`$nugget1 = {68 04 01 00 00 6A 00 FF 15 [4] 50 FF 15}`
`10`	`11`	`$nugget2 = {64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 8B 00 8B 40 18 89 45 FC}`
`11`	`12`	`condition:`
`12`		`- uint16(0) == 0x5A4D and any of them`
	`13`	`+ uint16(0) == 0x5A4D`
	`14`	`+ and not (pe.imports("tier0.dll") or pe.imports("msdart.dll"))`
	`15`	`+ and any of them`
`13`	`16`	`}`
`14`	`17`
`15`	`18`	`rule StealcV2`