update nitrogenloader

enzok · enzok · commit fa4b09ab511b · 2025-07-28T07:50:24.000-04:00
diff --git a/data/yara/CAPE/NitrogenLoader.yar b/data/yara/CAPE/NitrogenLoader.yar
@@ -31,5 +31,5 @@ rule NitrogenLoader
         $rc4decrypt_1 = {48 89 ?? 4? 89 ?? E8 [4] 4? 8B ?? 24 [1-4] 4? 89 ?? 4? 89 ?? 4? 89 C1 [0-1] 89 ?? E8 [4] 4? 89}
         $rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF}
     condition:
-        (2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or (3 of ($taskman_*) or 3 of ($installers*) and all of ($rc4decrypt_*))
+        (2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or ((3 of ($taskman_*) or 3 of ($installers*)) and all of ($rc4decrypt_*))
 }

Original file line number	Diff line number	Diff line change
`@@ -31,5 +31,5 @@ rule NitrogenLoader`
`31`	`31`	`$rc4decrypt_1 = {48 89 ?? 4? 89 ?? E8 [4] 4? 8B ?? 24 [1-4] 4? 89 ?? 4? 89 ?? 4? 89 C1 [0-1] 89 ?? E8 [4] 4? 89}`
`32`	`32`	`$rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF}`
`33`	`33`	`condition:`
`34`		`- (2 of ($string) and any of ($syscall)) or 4 of ($decrypt) or (3 of ($taskman_) or 3 of ($installers) and all of ($rc4decrypt_))`
	`34`	`+ (2 of ($string) and any of ($syscall)) or 4 of ($decrypt) or ((3 of ($taskman_) or 3 of ($installers)) and all of ($rc4decrypt_))`
`35`	`35`	`}`