capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

failed to detect RC4 usage in StealcV2

Open Still34 opened this issue 8 months ago • 0 comments

Summary

Expected to match data-manipulation\encryption\rc4\encrypt-data-using-rc4-ksa or data-manipulation\encryption\rc4\encrypt-data-using-rc4-prga for StealC-v2 - at the moment none of the existing rules match the behavior.

Examples

https://bazaar.abuse.ch/sample/a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2/

Suspected RC4 @ 0x00000001400231D5

Possible improvements

Additional context

Still34 avatar Apr 26 '25 04:04 Still34