Inaccurate rule for PureCrypter

Question

Inaccurate rule for PureCrypter

cod3nym opened this issue 2 months ago · comments

https://github.com/bartblaze/Yara-rules/blob/master/rules/crimeware/PureCrypter.yar

This rule is inaccurate the strings used for detection, are generic artifacts of the commercial .NET Reactor obfuscator.

The image below shows a quick search with 2 of the strings from your rule, which results in a number of random malware and legitimate apps obfuscated with .NET Reactor. The rule does not detect the targeted malware but binaries obfuscated with .NET Reactor.

For more info about .NET Reactor detection check https://unprotect.it/technique/net-reactor/

Bart P · Answer 1 · Sat Mar 30 2024 18:54:21 GMT+0800 (China Standard Time)

Hi @cod3nym! Thanks for the report, can you share one of the files that have the FP?

Jonathan Peters · Answer 2 · Sat Mar 30 2024 22:58:14 GMT+0800 (China Standard Time)

Here are a few false positives

9049b8ebbffcef5967628141b5cb5939560b8e6124e1364c304086e870f41fb9
8d8f8266e5cd6561059dade4dbe7d658109286ed6f0222e2c5e8737ed05d6c08
4efac3e1145cf849d7bbf5d8e362ac7a5d008b9b746684178a304f025375d97a
e85a16b6bdae66ad119bc161d3df8a0b7d4a9d6935eecbffab1847a76e7d93f7

matching on these strings

$s1 = "{11111-22222-20001-00001}" ascii wide fullword
$s2 = "{11111-22222-20001-00002}" ascii wide fullword

As previously explained the strings are artifacts from .NET Reactor you can also verify this by obfuscating an executable yourself.

Bart P · Answer 3 · Wed Apr 03 2024 01:03:16 GMT+0800 (China Standard Time)

Solved now with a few commits, last one being 2df9502. Thanks again for your report / support!