Inaccurate rule for PureCrypter
cod3nym opened this issue · comments
https://github.com/bartblaze/Yara-rules/blob/master/rules/crimeware/PureCrypter.yar
This rule is inaccurate the strings used for detection, are generic artifacts of the commercial .NET Reactor obfuscator.
The image below shows a quick search with 2 of the strings from your rule, which results in a number of random malware and legitimate apps obfuscated with .NET Reactor. The rule does not detect the targeted malware but binaries obfuscated with .NET Reactor.
For more info about .NET Reactor detection check https://unprotect.it/technique/net-reactor/
Hi @cod3nym! Thanks for the report, can you share one of the files that have the FP?
Here are a few false positives
9049b8ebbffcef5967628141b5cb5939560b8e6124e1364c304086e870f41fb9
8d8f8266e5cd6561059dade4dbe7d658109286ed6f0222e2c5e8737ed05d6c08
4efac3e1145cf849d7bbf5d8e362ac7a5d008b9b746684178a304f025375d97a
e85a16b6bdae66ad119bc161d3df8a0b7d4a9d6935eecbffab1847a76e7d93f7
matching on these strings
$s1 = "{11111-22222-20001-00001}" ascii wide fullword
$s2 = "{11111-22222-20001-00002}" ascii wide fullword
As previously explained the strings are artifacts from .NET Reactor you can also verify this by obfuscating an executable yourself.