mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Heuristic: flag UX-Locker for 'lc' modules

Browse source 
Add a heuristic in scanForMaliciousCode_NET_and_Native to push a UX-Locker verdict when no other verdicts exist and the .NET module or assembly name is 'lc.exe' or 'lc'. The verdict object includes empty version and details fields. This introduces an early detection rule before existing RAT/anti-AV checks.
This commit is contained in:
DosX 2026-04-10 15:49:33 +03:00
commit 05d00ffb61
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -6115,6 +6115,15 @@ function scanForMaliciousCode_NET_and_Native() {
}
if (verdicts.length === 0 && (PE_Cached.nameOfNetModuleName === "lc.exe" || PE_Cached.nameOfNetAssemblyName === "lc")) {
verdicts.push({
type: "UX-Locker",
version: String(),
details: String()
});
}
if (verdicts.length === 0 && (PE.isSignatureInSectionPresent(0, "00" + generateUnicodeSignatureMask(" RAT") + "00 **") ||
PE.isNetObjectPresent("AntiTaskManager") ||
PE.isNetObjectPresent("BlockAvSites") ||