From efeb9d73a66fa9862758a06cea0a697999c8de4f Mon Sep 17 00:00:00 2001
From: enzok <7831008+enzok@users.noreply.github.com>
Date: Mon, 3 Nov 2025 14:58:25 -0500
Subject: [PATCH] Update NitroBunnyDownloader yara

---
 data/yara/CAPE/NitroBunnyDownloader.yar | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/data/yara/CAPE/NitroBunnyDownloader.yar b/data/yara/CAPE/NitroBunnyDownloader.yar
index 733efe3a41a..53ebcbba24d 100644
--- a/data/yara/CAPE/NitroBunnyDownloader.yar
+++ b/data/yara/CAPE/NitroBunnyDownloader.yar
@@ -6,12 +6,13 @@ rule NitroBunnyDownloader
         cape_type = "NitroBunnyDownloader Payload"
         hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
     strings:
-        $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00}
         $string1 = "X-Amz-User-Agent:" wide
         $string2 = "Amz-Security-Flag:" wide
         $string3 = "/cart" wide
         $string4 = "Cookie: " wide
         $string5 = "wishlist" wide
     condition:
-        uint16(0) == 0x5A4D and $config and 2 of ($string*)
+        uint16(0) == 0x5A4D and 1 of ($config*) and 2 of ($string*)
 }