- [Improved] Updated Yara Hunting to improve scan coverage and lookback.
- [New] Added support for Yara 4.3
- [Fixed] Fixed issue with exports not being displayed correctly in some submissions.
- [Fixed] Fixed issue with searching for related samples by yara name.
- [Improved] Updated support for bloated files.
- [Improved] Updated String search to improve performance.
We've made several updates and bug fixes over the past few weeks to improve the Yara hunt and search experience on UnpacMe. Most of the work was focused on improving the overall speed and coverage for scans, along with fixing some issues to improve the quality of results. We have also added support for Yara 4.3 which includes several improvements such as; parsing of .NET user types from .NET metadata stream, not (~) operator support, and improved PE certificate.
Weekly Threat Hunting
This week Redline Stealer submissions dropped, with AgentTesla, SmokeLoader, and Stealc taking the top spots. While Redline Stealer remains highly submitted, this is the first week in several, that it is not the most submitted family.
We have observed a rise in submissions of Blackmoon (KRBanker) a legacy information stealer initially targeted at South Korean banks. A recent report from Rapid7 suggests that Blackmoon is being repurposed as a dropper, distributing payloads on compromised systems. We see a large daily volume of legacy Blackmoon samples bundled with old file infectors in our automated collection (excluded from this report), so it came as a surprise to see an increase in user submitted samples.
- AgentTesla - We've updated our coverage for AgentTesla. Thanks to rony123 for reporting the issues.
- CobianRat - Added coverage and a malware configuraiton extractor.
- LimeRat - Updated coverage for LimeRat and added a malware configuration extractor.
- PureCrypter - Updated coverage for Stage 1 of the PureCrypter downloader.
- Stealc - Updated coverage for the Stealc information stealer.
- XWorm - We've update our coverage for XWorm. Thanks to embee_research for reporting the issues.