From c873c15fddeb41afb35465d0b926e73a899e95a1 Mon Sep 17 00:00:00 2001
From: Andrea De Pasquale <447065+adepasquale@users.noreply.github.com>
Date: Thu, 9 May 2024 20:15:10 +0200
Subject: [PATCH] Update Yara CI config (#2113)

* Update Yara CI config

* Fix extra space in Qakbot parser test
---
 .yara-ci.yml                           | 13 +++++++------
 analyzer/windows/data/yara/Blister.yar |  4 ++--
 tests_parsers/test_qakbot.py           |  2 +-
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/.yara-ci.yml b/.yara-ci.yml
index 7296478f62d..0f45c6ce69e 100644
--- a/.yara-ci.yml
+++ b/.yara-ci.yml
@@ -1,12 +1,13 @@
 files:
   accept:
   - "data/yara/**.yar"
+  - "analyzer/windows/data/yara/**.yar"
 
 false_positives:
   ignore:
-    - rule: "CobaltStrikeBeacon"
-    - rule: "Emotet"
-    - rule: "NSIS"
-    - rule: "UPX"
-    - rule: "Syscall"
-    - rule: "FormhookB"
+  - rule: "CobaltStrikeBeacon"
+  - rule: "Emotet"
+  - rule: "NSIS"
+  - rule: "UPX"
+  - rule: "Syscall"
+  - rule: "FormhookB"
diff --git a/analyzer/windows/data/yara/Blister.yar b/analyzer/windows/data/yara/Blister.yar
index cc8eea6eb00..a3c4bf273f9 100644
--- a/analyzer/windows/data/yara/Blister.yar
+++ b/analyzer/windows/data/yara/Blister.yar
@@ -4,8 +4,8 @@ rule Blister
         author = "kevoreilly"
         description = "Blister Sleep Bypass"
         cape_options = "bp0=$sleep1+6,bp1=$sleep2+7,action0=setsignflag,action1=clearcarryflag,count=3"
-        blister_hash = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00"
-        blister_hash = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2"
+        packed = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00"
+        packed = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2"
     strings:
         $sleep1 = {FF FF 83 7D F0 00 (E9|0F 8?)}
         $sleep2 = {81 7D D8 90 B2 08 00 (E9|0F 8?)}
diff --git a/tests_parsers/test_qakbot.py b/tests_parsers/test_qakbot.py
index ac925c1d7f9..025470b6e97 100644
--- a/tests_parsers/test_qakbot.py
+++ b/tests_parsers/test_qakbot.py
@@ -2,6 +2,6 @@
 
 
 def test_qakbot():
-    with open("tests/data/malware/0cb0d77ac38df36fff891e072dea96401a8c1e8ff40d6ac741d5a2942aaeddbb ", "rb") as data:
+    with open("tests/data/malware/0cb0d77ac38df36fff891e072dea96401a8c1e8ff40d6ac741d5a2942aaeddbb", "rb") as data:
         conf = extract_config(data.read())
         assert conf == {"C2": "anscowerbrut.com", "Campaign": 2738000827}