Merge pull request #2677 from kevoreilly/revert-2674-patch-2

kevoreilly · web-flow · commit 9f9ddfb786c4 · 2025-08-21T07:45:23.000+01:00
Revert "Update Stealc.yar"
diff --git a/data/yara/CAPE/Stealc.yar b/data/yara/CAPE/Stealc.yar
@@ -1,4 +1,3 @@
-import "pe"
 rule Stealc
 {
     meta:
@@ -10,9 +9,7 @@ rule Stealc
         $nugget1 = {68 04 01 00 00 6A 00 FF 15 [4] 50 FF 15}
         $nugget2 = {64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 8B 00 8B 40 18 89 45 FC}
     condition:
-        uint16(0) == 0x5A4D 
-        and not (pe.imports("tier0.dll") or pe.imports("msdart.dll")) 
-        and any of them
+        uint16(0) == 0x5A4D and any of them
 }
 
 rule StealcV2

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-import "pe"`
`2`	`1`	`rule Stealc`
`3`	`2`	`{`
`4`	`3`	`meta:`
`@@ -10,9 +9,7 @@ rule Stealc`
`10`	`9`	`$nugget1 = {68 04 01 00 00 6A 00 FF 15 [4] 50 FF 15}`
`11`	`10`	`$nugget2 = {64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 8B 00 8B 40 18 89 45 FC}`
`12`	`11`	`condition:`
`13`		`- uint16(0) == 0x5A4D`
`14`		`- and not (pe.imports("tier0.dll") or pe.imports("msdart.dll"))`
`15`		`- and any of them`
	`12`	`+ uint16(0) == 0x5A4D and any of them`
`16`	`13`	`}`
`17`	`14`
`18`	`15`	`rule StealcV2`