mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Expand heuristic strings, add NoIP and fixes

Browse source 
Update PE heuristic database to improve detection coverage and correct signatures: add "NSS_Init" to Firefox-related fingerprints; include alternate WindowsLive/\My Received Files path variant; broaden Paltalk registry keys to include uppercase SOFTWARE and HKCU variants; add NoIP (Vitalwerks DUC) registry keys; include "Ftplist.txt" for FTP Commander detection; and clarify the generic entry comment to reduce false positives. These changes refine string matches and widen coverage for legitimate variations of targeted applications.
This commit is contained in:
DosX 2026-06-18 05:48:33 +03:00
commit c654c99320
1 changed files with 10 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

15
db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
View file

@ -6673,7 +6673,7 @@ function scanForMaliciousCode_NET_and_Native() {
"\\mozglue.dll", "mozcrt19.dll", "nss3.dll", "mozsqlite3.dll", "softokn3.dll", "\\Firefox\\Profiles\\", "signons.sqlite", "2a864886f70d0209",
"2a864886f70d010c050103", "moz_places", "moz_cookies", "moz_bookmarks", "\\Mozilla Firefox\\", "Mozilla Firefox\\",
"\\Mozilla\\Firefox\\Profiles", "webappsstore.sqlite", "SELECT * FROM moz_disabledHosts;", "SELECT * FROM moz_logins;",
"SELECT * FROM moz_places", "moz_logins", "encryptedPassword"
"SELECT * FROM moz_places", "moz_logins", "encryptedPassword", "NSS_Init"
]
}, {
names: ["Yahoo", "yahoo", "YahooMessenger"],
@ -6735,7 +6735,7 @@ function scanForMaliciousCode_NET_and_Native() {
names: ["MSN", "GetMSN", "getMSN75Passwords", "CMSNMessengerPasswords"],
strings: [
"\\MSN Messenger\\msidcrl.dll", "msidcrl.dll", "Software\\Microsoft\\MessengerService", "Software\\Microsoft\\MSNMessenger",
"82BD0E67-9FEA-4748-8672-D5EFE5B779B0\0", "msidcrl.dll", "WindowsLive:name=*", "\\My Received Files\\"
"82BD0E67-9FEA-4748-8672-D5EFE5B779B0\0", "msidcrl.dll", "WindowsLive:name=*", "\\My Received Files\\", "\\My Received Files"
]
}, {
names: ["Skype", "skype", "GetSkype"],
@ -6750,7 +6750,7 @@ function scanForMaliciousCode_NET_and_Native() {
}, {
names: ["Paltalk", "paltalk", "GetPaltalk"],
strings: [
"Software\\Paltalk", "HKEY_CURRENT_USER\\Software\\Paltalk\\"
"Software\\Paltalk", "SOFTWARE\\Paltalk", "HKEY_CURRENT_USER\\Software\\Paltalk\\", "HKEY_CURRENT_USER\\SOFTWARE\\Paltalk\\"
]
}, {
names: ["Chromium", "chromium", "chrome", "GetChrome"],
@ -6843,6 +6843,11 @@ function scanForMaliciousCode_NET_and_Native() {
strings: [
"\\.purple\\accounts.xml", ".purple\\accounts.xml"
]
}, {
names: ["NoIP", "NoIp", "GetNoIP"],
strings: [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Vitalwerks\\DUC", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Vitalwerks\\DUC"
]
}, {
names: ["RuneScape"],
strings: [
@ -6879,7 +6884,7 @@ function scanForMaliciousCode_NET_and_Native() {
}, {
names: ["FTPCommander", "FtpCommander", "Ftpcommander", "ftpcommander"],
strings: [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Commander\\UninstallString", "FTP Commander"
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Commander\\UninstallString", "FTP Commander", "Ftplist.txt"
]
}, {
names: ["PuTTY", "Putty", "putty"],
@ -6950,7 +6955,7 @@ function scanForMaliciousCode_NET_and_Native() {
":SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
]
}, {
names: [/* Generic */],
names: [/* Generic --> It's not subject to strict classification. It can be found in legitimate .NET programs, but the RiskScore threshold will not trigger false positives. */],
strings: [
"90059c37-1320-41a4-b58d-2b75a9850d2f",
"EnableLUA", "DisableCMD", "DisableTaskMgr", "DisableRegistry", "discordtokenprotector", "*.txt", "*.rdp",