advanced-threat-research / yara-rules Goto Github PK

FYI:

/opt/yararules/Yara-Rules/ransomware/RANSOM_RobbinHood.yar(2): error: syntax error, unexpected identifier, expecting '{'
/opt/yararules/Yara-Rules/ransomware/RANSOM_SamSam.yar(50): error: undefined identifier "pe"
/opt/yararules/Yara-Rules/ransomware/RANSOM_SamSam.yar(98): error: undefined identifier "pe"
/opt/yararules/Yara-Rules/ransomware/RANSOM_acroware.yar(0): error: syntax error, unexpected end of file, expecting '}'
/opt/yararules/Yara-Rules/ransomware/RANSOM_GPGQwerty.yar(8): error: syntax error, unexpected ':', expecting '='
/opt/yararules/Yara-Rules/ransomware/RANSOM_Magniber.yar(3): error: non-ascii character
/opt/yararules/Yara-Rules/ransomware/RANSOM_Magniber.yar(3): error: syntax error, unexpected end of file, expecting <condition>

Hello,

I just spotted that you have two rulesets for the same family RANSOM_Darkside.yar and RANSOM_darkside.yar. However, this file naming causes issues on systems with case-insensitive file systems, such as Windows. As a results, your repository cannot be properly cloned, etc. Consider unifying these two in one ruleset.

Thank you

FYI:

/opt/yararules/Yara-Rules/mobile/MOBILE_pwndroid5_downloader.yar(1): error: unknown module "androguard"
/opt/yararules/Yara-Rules/mobile/MOBILE_pwndroid5_downloader.yar(16): error: invalid field name "activity"
/opt/yararules/Yara-Rules/mobile/MOBILE_pwndroid5_downloader.yar(55): error: invalid field name "activity"

On line 7 in the meta section, the field is using a colon as a separator instead of the required equal sign. Link to the line is below

Could you add UUID in the Yara-Rules ? I would like to import those in CyCAT and having a unique reference would help a lot.

The last several 64-bit Firefox install files are being flagged by this on VirusTotal.
Firefox Setup 81.0.exe
Firefox Setup 81.0.2.exe
and now Firefox Setup 82.0.exe

Have not checked 32-bit release files. All are available here: https://archive.mozilla.org/pub/firefox/releases/

I am a developer in the RINA Tech UK software team who authored a file which has been reported as "Gen:Variant.Lazy.398487" on virustotal.com by the Trellix (FireEye) engine, when 82% of anti-virus engines did not detect any issues. I believe the Trellix (FireEye) results to be a false positive.

I have uploaded it to a cloud storage service provided by my company:
https://depot.rina.org/access/kWvx5atetqkys4qoS5DWfMY2ch5n
[The password for the uploaded file is “infected” (without the double quotes)]

If you'd like any further information, please let me know.

Many thanks,
Clive

Hi, is there any option to implement YARA Rules on McAfee's SIEM ?

FYI:

/opt/yararules/Yara-Rules/APT/APT_hikit_rootkit_pdb.yar(8): error: syntax error, unexpected text string, expecting '='
/opt/yararules/Yara-Rules/APT/ixeshe_bled_pdb.yar(7): error: syntax error, unexpected text string, expecting '='
/opt/yararules/Yara-Rules/APT/APT_milum_wildpressure.yar(20): error: undefined identifier "pe"

warning: rule "ransomware_sodinokibi" in .../RANSOM_Sodinokibi.yar(28): expression always false - requesting 8 of 4.