Tighten old Stealc v1 yara signature to reduce FPs

kevoreilly · kevoreilly · commit b26a4bd55d50 · 2025-08-21T10:31:17.000+01:00
diff --git a/data/yara/CAPE/Stealc.yar b/data/yara/CAPE/Stealc.yar
@@ -9,7 +9,7 @@ rule Stealc
         $nugget1 = {68 04 01 00 00 6A 00 FF 15 [4] 50 FF 15}
         $nugget2 = {64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 8B 00 8B 40 18 89 45 FC}
     condition:
-        uint16(0) == 0x5A4D and any of them
+        uint16(0) == 0x5A4D and all of them
 }
 
 rule StealcV2
