fix NitrogenLoader YARA

[ruppde]

The rule matches on the ELF binary /usr/bin/git-remote-keybase (151e6dfdaa05c93e9c36e3e6dd015e9b8dc786ae9a88a373be9f1a04e3db7a20) so I added a uint16(0) == 0x5a4d to limit it to PE.

matched strings were:

$ yara -s nitro.yar /usr/bin/git-remote-keybase 
NitrogenLoader /usr/bin/git-remote-keybase
0x2587ca0:$stringaes1: 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA
0x2587da0:$stringaes2: 52 09 6A D5 30 36 A5 38 BF 40 A3 9E 81 F3 D7 FB 7C E3 39 82 9B
0x7bbba6:$syscallnumber: 49 89 C3 B8 02 00 00 00 E8 4D 79 00 00

It probably has more false positives on PE files if it hits on a ELF, you might want to check it out.

[gemini-code-assist]

Code Review

This pull request updates the NitrogenLoader YARA rule by adding a check for the PE file header (0x5a4d) to the condition. Feedback was provided to move this header check to the beginning of the condition to optimize performance through short-circuiting.

[gemini-code-assist]

For better performance, it is recommended to place the file header check (uint16(0) == 0x5a4d) at the beginning of the condition. This allows YARA to short-circuit the evaluation for non-PE files immediately, avoiding unnecessary processing of the more complex string and pattern matching logic.

        uint16(0) == 0x5a4d and
        ((2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or ((3 of ($taskman_*) or 3 of ($installers*)) and all of ($rc4decrypt_*)))

[kevoreilly]

Thank you