From b81eee5fa4741375253c1fa42da8d5d9ec87941e Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Thu, 18 Jun 2020 12:27:37 +0200
Subject: [PATCH 01/15] Improve UPX detection by section names.

To prevent false positives, we should check whether the size of the very
first section of the file is zero. If it is not, then we either have a
modified packer, already unpacked file that has the packer's section
names, or a file that tries to pretend it is packed with UPX. This should
reduce the amount of false positives significantly.
---
 src/cpdetect/heuristics/pe_heuristics.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/cpdetect/heuristics/pe_heuristics.cpp b/src/cpdetect/heuristics/pe_heuristics.cpp
index b5439d525..86f539267 100644
--- a/src/cpdetect/heuristics/pe_heuristics.cpp
+++ b/src/cpdetect/heuristics/pe_heuristics.cpp
@@ -2101,7 +2101,8 @@ void PeHeuristics::getPeSectionHeuristics()
 	}
 	if (noOfSections > 2)
 	{
-		if (firstName == "UPX0" && secondName == "UPX1")
+		if (firstName == "UPX0" && secondName == "UPX1"
+				&& sections[0]->getSizeInFile() == 0)
 		{
 			addPacker(source, strength, "UPX");
 		}

From d8847281389d8e32b7f8cd49a94d7029d9c6a885 Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Tue, 23 Jun 2020 15:01:55 +0200
Subject: [PATCH 02/15] Improve UPX detection by ensuring the UPX block is
 before the first section.

The data block containing a magic value "UPX!" followed by an internal
structure must be placed before the first section. This check will
remove false positive detection of unpacked files dumped from memory that
retained that information.
---
 src/cpdetect/heuristics/pe_heuristics.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cpdetect/heuristics/pe_heuristics.cpp b/src/cpdetect/heuristics/pe_heuristics.cpp
index 86f539267..321ceedd6 100644
--- a/src/cpdetect/heuristics/pe_heuristics.cpp
+++ b/src/cpdetect/heuristics/pe_heuristics.cpp
@@ -940,7 +940,7 @@ void PeHeuristics::getUpxHeuristics()
 	// format: x.xx'\0'UPX!
 	const std::size_t minPos = 5, verLen = 4;
 	pos = content.find("UPX!");
-	if (pos >= minPos && pos < 0x500)
+	if (pos >= minPos && pos < 0x500 && pos < sections[0]->getOffset())
 	{
 		std::string version;
 		std::size_t num;

From 1ec38b50ced6b84b3df071ce02655a30e960b99c Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Tue, 23 Jun 2020 15:37:40 +0200
Subject: [PATCH 03/15] Remove Ramnit as a packer.

Ramnit is a file-infector and should not be detected as a tool.
---
 src/cpdetect/heuristics/pe_heuristics.cpp | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/cpdetect/heuristics/pe_heuristics.cpp b/src/cpdetect/heuristics/pe_heuristics.cpp
index 321ceedd6..e1394bea2 100644
--- a/src/cpdetect/heuristics/pe_heuristics.cpp
+++ b/src/cpdetect/heuristics/pe_heuristics.cpp
@@ -1981,10 +1981,6 @@ void PeHeuristics::getPeSectionHeuristics()
 	{
 		addPacker(source, strength, "LameCrypt");
 	}
-	if (lastName == ".rmnet")
-	{
-		addPacker(source, strength, "Ramnit");
-	}
 	if (firstName == ".Upack" || firstName == ".ByDwing")
 	{
 		addPacker(source, strength, "Upack");

From 79b6dbb25e6c042780d3de4f81b5a50c409fa721 Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Wed, 24 Jun 2020 15:31:13 +0200
Subject: [PATCH 04/15] Prevent false detections of VMProtect.

By rigorously checking the imported API and the presence of the string
in only executable sections of the file we ensure that only truly packed
files are detected. Otherwise a false positive detection could occur when
a file was doubly packed and the byte pattern was stored in unmodified
form in the data section, or when a packed file was stored in resources
or overlay.
---
 support/yara_patterns/tools/pe/x86/packers.yara | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index 73c3e7a1a..9a4678f50 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -16780,7 +16780,10 @@ rule vmprotect_2x_xx {
 	strings:
 		$1 = { 50 F0 1F FD FD 8? ?7 92 6? ?? B4 ?? C2 ?? ?0 7? 4? ?? ?? C? C? ?F ?D 2? 6? ?1 9C BF 0? 99 12 ?7 17 ?? 36 35 CA 8A ?7 ?0 ?? ?F ?C ?D 7D 7? ?9 E5 ?1 ?8 4E 4? ?? 24 ?? D4 5? 5? C? 04 B9 E? D? 2? 15 ?8 9? ?6 ?7 84 ?? ?? ?D 9? ?1 ?1 ?E ?? 03 ?? ?? ?4 46 ?6 ?? ?3 EC 94 1E ?6 A? ?4 ?5 ?? ?? ?? ?? 8? C? ?8 ?? ?2 ?? ?0 C8 EB ?C 1? D? }
 	condition:
-		@1 < pe.overlay.offset
+		for any i in (0 .. pe.number_of_sections - 1): (
+			pe.sections[i].characteristics & pe.SECTION_CNT_CODE and
+			$1 in (pe.sections[i].raw_data_offset .. pe.sections[i].raw_data_offset + pe.sections[i].raw_data_size)
+		)
 }
 
 rule vob_protectcd_uv {

From ee8138036e8599037d5a3128db1bd3f87384146a Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Tue, 30 Jun 2020 11:54:23 +0200
Subject: [PATCH 05/15] Remove ambiguous Themida YARA rule.

The rule itself searches for a string "kernel32.dll" that sits in the
middle of zeroed bytes. This does not actually check for code/data from
Themida and can be easily present in regular files.
---
 support/yara_patterns/tools/pe/x86/packers.yara | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index 9a4678f50..cc0f01db3 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -14751,18 +14751,6 @@ rule themida_18x_2x_winlicense {
 		$1 at pe.entry_point
 }
 
-rule themida_2010_winlicense {
-	meta:
-		tool = "P"
-		name = "Themida"
-		version = "2.0.1.0 or higher WinLicense"
-		pattern = "00000000????????000000006B65726E656C33322E646C6C00????????0000000000000000????????????????00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
-	strings:
-		$1 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
-	condition:
-		$1
-}
-
 rule thewrap_uv {
 	meta:
 		tool = "P"

From 881a94dffa8d366035d74e1af123218e5f8459fa Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Tue, 30 Jun 2020 11:53:06 +0200
Subject: [PATCH 06/15] Remove ambiguous InstallShield YARA rule.

This rule matches a common windows runtime code from older versions of
Visual Studio (6.0).
---
 support/yara_patterns/tools/pe/x86/installers.yara | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
index f0b1c4ef0..51664980a 100644
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -227,18 +227,6 @@ rule installshield_uv_3 {
 		$1 at pe.entry_point
 }
 
-rule installshield_uv_04 {
-	meta:
-		tool = "I"
-		name = "InstallShield"
-		source = "Made by Retdec Team"
-		pattern = "558BEC6AFF68????4?0068????4?0064A100000000506489250000000083EC585356578965E8FF15????4?0033D28AD48915????4?008BC881E1FF000000890D????4?00C1E10803CA890D????4?00C1E810A3????4?00??????????0?00"
-	strings:
-		$1 = { 55 8B EC 6A FF 68 ?? ?? 4? 00 68 ?? ?? 4? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 ?? ?? 4? 00 33 D2 8A D4 89 15 ?? ?? 4? 00 8B C8 81 E1 FF 00 00 00 89 0D ?? ?? 4? 00 C1 E1 08 03 CA 89 0D ?? ?? 4? 00 C1 E8 10 A3 ?? ?? 4? 00 ?? ?? ?? ?? ?? 0? 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule installshield_uv_05 {
 	meta:
 		tool = "I"

From 6a96fe4bc374f4f6748f3f868a857c9b135145a7 Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Fri, 10 Jul 2020 16:53:18 +0200
Subject: [PATCH 07/15] Remove ambiguous MEW YARA rule.

This rule matches code that is not specific to MEW. If the entrypoint
starts with a E9 call and is followed by empty space. It will always
match.
---
 support/yara_patterns/tools/pe/x86/packers.yara | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index cc0f01db3..f8f232434 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -8258,18 +8258,6 @@ rule mew_11_se_12 {
 		$1 at pe.entry_point + 48
 }
 
-rule mew_11_se_10_12 {
-	meta:
-		tool = "P"
-		name = "MEW"
-		version = "11 SE 1.0 - 1.2"
-		pattern = "E9??????FF0??0??0?0000000??0??00??????????0??0"
-	strings:
-		$1 = { E9 ?? ?? ?? FF 0? ?0 ?? 0? 00 00 00 0? ?0 ?? 00 ?? ?? ?? ?? ?? 0? ?0 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule mew_5xx {
 	meta:
 		tool = "P"

From 454e8bfdd47ccd0f2ec950ac7e039b3754f992a2 Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Fri, 10 Jul 2020 16:54:03 +0200
Subject: [PATCH 08/15] Remove ambiguous tElock YARA rule.

This rule matches code that is not specific to tElock. If the entrypoint
starts with a E9 call and is followed by empty space. It will always
match.
---
 support/yara_patterns/tools/pe/x86/packers.yara | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index f8f232434..23ed5b47b 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -14571,18 +14571,6 @@ rule telock_096 {
 		$1 at pe.entry_point
 }
 
-rule telock_098_10 {
-	meta:
-		tool = "P"
-		name = "tElock"
-		version = "0.98 - 1.0"
-		pattern = "E9????FFFF000000??????????????000000000000000000"
-	strings:
-		$1 = { E9 ?? ?? FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule telock_098_special_build {
 	meta:
 		tool = "P"

From fc70d2f83dc20bd9c0e36d3a8547879a1b556746 Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Mon, 13 Jul 2020 12:27:11 +0200
Subject: [PATCH 09/15] Remove ambiguous Ste@lth YARA rule.

The generic Ste@lth YARA rule was checking for the presence of a single
instruction. Not only it is slow, it is also highly inaccurate. The YARA
rule was replaced with a correct one and an old rule for version 1.1
was left behind for backwards compatibility.
---
 support/yara_patterns/tools/pe/x86/packers.yara | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index 23ed5b47b..f61a5a85a 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -14173,9 +14173,9 @@ rule stealth_101 {
 		tool = "P"
 		name = "Ste@lth"
 		version = "1.01"
-		pattern = "??????????BA??????00"
+		pattern = "BA??????00FFE2BA??????00B8????????890283C203B8????????890283C2FDFFE2"
 	strings:
-		$1 = { ?? ?? ?? ?? ?? BA ?? ?? ?? 00 }
+		$1 = { BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 }
 	condition:
 		$1 at pe.entry_point
 }
@@ -14185,11 +14185,8 @@ rule stealth_pe_11 {
 		tool = "P"
 		name = "Stealth PE"
 		version = "1.1"
-		pattern = "BA??????00FFE2BA??????00B8????????890283C203B8????????890283C2FDFFE2"
-	strings:
-		$1 = { BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 }
 	condition:
-		$1 at pe.entry_point
+		stealth_101
 }
 
 rule stones_pe_encryptor_10_113 {

From 6847005ce08c2bf56e4fdd17e38ead2202175a50 Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Mon, 13 Jul 2020 12:46:35 +0200
Subject: [PATCH 10/15] Add new version of Ste@lth packer.

This version was previously covered by highly ambiguous YARA rule that
has been since removed. In its stead, this YARA rule was added.
---
 support/yara_patterns/tools/pe/x86/packers.yara | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index f61a5a85a..da788b91a 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -14189,6 +14189,18 @@ rule stealth_pe_11 {
 		stealth_101
 }
 
+rule stealth_210 {
+	meta:
+		tool = "P"
+		name = "Ste@lth"
+		version = "2.10"
+		pattern = "B8????????BA????????B9????????310183C1044A75F8EBC0"
+	strings:
+		$1 = { B8 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 31 01 83 C1 04 4A 75 F8 EB C0 }
+	condition:
+		$1 at pe.entry_point
+}
+
 rule stones_pe_encryptor_10_113 {
 	meta:
 		tool = "P"

From 4d229d58817d703f1244c5a0af7720bbfd53165a Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Mon, 13 Jul 2020 14:03:59 +0200
Subject: [PATCH 11/15] Rename WinUpack YARA rule to Upack.

To keep things consistent, we should use the same name for cases where
there are historically two possibilities. Thus, we should rename WinUpack
to simply Upack.
---
 .../yara_patterns/tools/pe/x86/packers.yara   | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index da788b91a..aa9066bb1 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -15526,6 +15526,18 @@ rule upack_039f_02 {
 		$1 at pe.entry_point
 }
 
+rule upack_039f_03 {
+	meta:
+		tool = "P"
+		name = "Upack"
+		version = "0.39f"
+		pattern = "BEB011????AD50FF7634EB7C4801????0B014C6F61644C6962726172794100001810000010000000????????0000????001000000002000004000000000039"
+	strings:
+		$1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 ?? ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 }
+	condition:
+		$1 at pe.entry_point
+}
+
 rule upack_039 {
 	meta:
 		tool = "P"
@@ -17698,18 +17710,6 @@ rule winkript_10 {
 		$1 at pe.entry_point
 }
 
-rule winupack_039f {
-	meta:
-		tool = "P"
-		name = "WinUpack"
-		version = "0.39f"
-		pattern = "BEB011????AD50FF7634EB7C4801????0B014C6F61644C6962726172794100001810000010000000????????0000????001000000002000004000000000039"
-	strings:
-		$1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 ?? ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule wwpack32_1x {
 	meta:
 		tool = "P"

From 8c499c95e2cf4c6f567d2797525c6467deef910a Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Mon, 13 Jul 2020 14:33:08 +0200
Subject: [PATCH 12/15] Unify naming between yoda's Crypter and yoda's
 Protector.

For the sake of uniformity, we should use consistent naming.
---
 src/cpdetect/heuristics/pe_heuristics.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cpdetect/heuristics/pe_heuristics.cpp b/src/cpdetect/heuristics/pe_heuristics.cpp
index e1394bea2..02fb9abe0 100644
--- a/src/cpdetect/heuristics/pe_heuristics.cpp
+++ b/src/cpdetect/heuristics/pe_heuristics.cpp
@@ -1987,7 +1987,7 @@ void PeHeuristics::getPeSectionHeuristics()
 	}
 	if (lastName == "yC" || lastName == ".y0da" || lastName == ".yP")
 	{
-		addPacker(source, strength, "yoda's Crypter");
+		addPacker(source, strength, "yoda's Protector");
 	}
 	if (findSectionName(".petite") == 1)
 	{

From c60774c504cc8213278c60b7d0b88bfefaae1c1f Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Mon, 13 Jul 2020 14:59:11 +0200
Subject: [PATCH 13/15] Rename ASPack YARA rule to ASProtect to accurately
 describe the detection.

The code that this specific YARA rule detects belongs to ASProtect rather
than to ASPack and it should be detected as such.
---
 .../yara_patterns/tools/pe/x86/packers.yara   | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index aa9066bb1..42e757407 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -2782,17 +2782,6 @@ rule asdpack_20_02 {
 		$1 at pe.entry_point
 }
 
-rule aspack_uv_01 {
-	meta:
-		tool = "P"
-		name = "ASPack"
-		pattern = "5D81ED??????00BB??????0003DD2B9D??????0083BD??????0000899D??????000F85????00008D85??????0050FF95??????008985"
-	strings:
-		$1 = { 5D 81 ED ?? ?? ?? 00 BB ?? ?? ?? 00 03 DD 2B 9D ?? ?? ?? 00 83 BD ?? ?? ?? 00 00 89 9D ?? ?? ?? 00 0F 85 ?? ?? 00 00 8D 85 ?? ?? ?? 00 50 FF 95 ?? ?? ?? 00 89 85 }
-	condition:
-		$1 in (pe.entry_point + 6 .. pe.entry_point + 7)
-}
-
 rule aspack_uv_02 {
 	meta:
 		tool = "P"
@@ -3406,6 +3395,17 @@ rule asprotect_uv_04 {
 		$1 at pe.entry_point
 }
 
+rule asprotect_uv_05 {
+	meta:
+		tool = "P"
+		name = "ASProtect"
+		pattern = "5D81ED??????00BB??????0003DD2B9D??????0083BD??????0000899D??????000F85????00008D85??????0050FF95??????008985"
+	strings:
+		$1 = { 5D 81 ED ?? ?? ?? 00 BB ?? ?? ?? 00 03 DD 2B 9D ?? ?? ?? 00 83 BD ?? ?? ?? 00 00 89 9D ?? ?? ?? 00 0F 85 ?? ?? 00 00 8D 85 ?? ?? ?? 00 50 FF 95 ?? ?? ?? 00 89 85 }
+	condition:
+		$1 in (pe.entry_point + 6 .. pe.entry_point + 7)
+}
+
 rule asprotect_10 {
 	meta:
 		tool = "P"

From 6aa3fa35064543ab9f3955b66a1644b998768b7d Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Mon, 13 Jul 2020 15:05:26 +0200
Subject: [PATCH 14/15] Remove redundant AHPack YARA rule.

The !EP ExePack and AHPack are the same product under different names.
They both use the same code and therefore should be detected as with the
same name.
---
 support/yara_patterns/tools/pe/x86/packers.yara | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index 42e757407..d19dc82a9 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -1584,18 +1584,6 @@ rule adflt2 {
 		$1 at pe.entry_point
 }
 
-rule ahpack_01 {
-	meta:
-		tool = "P"
-		name = "AHPack"
-		version = "0.1"
-		pattern = "606854??????B848??????FF1068B3??????50B844????00FF106800"
-	strings:
-		$1 = { 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? 00 FF 10 68 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule ahteam_ep_protector_03_041 {
 	meta:
 		tool = "P"

From dd6a5e55311c7617ed40cf32bbd1693f839a6d19 Mon Sep 17 00:00:00 2001
From: tamaroth <tamaroth@vivaldi.net>
Date: Mon, 13 Jul 2020 15:14:31 +0200
Subject: [PATCH 15/15] Remove incorrect recognition of RLPack.

The detected code was created by Themida, not by RLPack and should be
marked as such.
---
 src/cpdetect/heuristics/pe_heuristics.cpp | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/cpdetect/heuristics/pe_heuristics.cpp b/src/cpdetect/heuristics/pe_heuristics.cpp
index 02fb9abe0..8e22f5c95 100644
--- a/src/cpdetect/heuristics/pe_heuristics.cpp
+++ b/src/cpdetect/heuristics/pe_heuristics.cpp
@@ -776,9 +776,6 @@ void PeHeuristics::getActiveMarkHeuristics()
 void PeHeuristics::getRLPackHeuristics()
 {
 	if (search.exactComparison(
-			"B800000000600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944",
-			toolInfo.epOffset)
-		|| search.exactComparison(
 			"57C7C772AFB4DF8D3D5FBA581AFFCF0FACF7F20FBDFEF7C75CDC30270FBAF7330FBBF70FCFBF64A909DB85F681DFAC194648F7DF0FA3F7C7C741BC79A085F7D1",
 			toolInfo.epOffset))
 	{