From 654bfc1c4aa65a87a866060d7ea3076485328941 Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Tue, 12 Mar 2024 12:44:44 +0000
Subject: [PATCH] Rescind Pikabot dynamic config capture as it's in plain text
 in the payload

---
 analyzer/windows/data/yara/Pikabot.yar | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/analyzer/windows/data/yara/Pikabot.yar b/analyzer/windows/data/yara/Pikabot.yar
index 92f817847f3..0a5b25c28f0 100644
--- a/analyzer/windows/data/yara/Pikabot.yar
+++ b/analyzer/windows/data/yara/Pikabot.yar
@@ -13,20 +13,6 @@ rule Pikahook
         uint16(0) == 0x5A4D and 2 of them
 }
 
-rule Pikabot
-{
-    meta:
-        author = "kevoreilly"
-        description = "Pikabot config extraction"
-        cape_options = "clear,bp0=$decode,action0=string:eax,count=0,force-sleepskip=1,typestring=Pikabot Config"
-        packed = "89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9"
-    strings:
-        $indirect = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15}
-        $decode = {29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16 83 C4 ?? 5B 5E [0-1] 5D C3}
-    condition:
-        uint16(0) == 0x5A4D and all of them
-}
-
 rule PikExport
 {
     meta: