FormhookB Yara Rule: all instead of any

[daschr]

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• I am running the latest version
• I did read the README!
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed
• I'm reporting the issue to the correct repository (for multi-repository projects)
• I have read and checked all configs (with all optional parts)

Current/Expected Behavior

The condition of the Yara "FromhookB" rule (see

CAPEv2/analyzer/windows/data/yara/Formbook.yar

Line 16 in acb0261

rule FormhookB

) is set to "any of them" and I've got a a false positive on a sample from the xerces XML-Parser (https://xerces.apache.org/).
The $decode pattern seems to match on a subroutine of the dll on version 3.1.4.
You can see the pattern in the screenshot:

I think the condition should be all of them instead of any of them.

See https://github.com/daschr/CAPEv2/commit/a576f699723396acc90844a184c2006b80ab49c1

Failure Information (for bugs)

This is the sample DLL:
xerces-c_3_1.zip

Steps to Reproduce

1. Scan the sample above
2. see that it matches on "FormhookB"

[kevoreilly]

Turns out just setting to all does not allow the bypass to work so I have made other improvements - let me know if there are any further issues

[daschr]

Thank you!

[kevoreilly]

Thanks for the report 🤝