Sneed-Reactivity/yara-mikesxrs/Cluster 25/UNC1222_HermeticWiper_23433_10001.yar

17 lines
618 B
Text
Raw Permalink Normal View History

rule UNC1222_HermeticWiper_23433_10001 {
meta:
date = "2022-02-23"
description = "Detects HermeticWiper variants by internal strings"
author = "Cluster25"
tlp = "white"
hash1 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
hash2 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
report = "https://blog.cluster25.duskrise.com/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware"
strings:
$ = "tdrv.pdb" fullword ascii
$ = "\\\\.\\EPMNTDRV\\%u" fullword wide
$ = "PhysicalDrive%u" fullword wide
$ = "Hermetica Digital Ltd"
condition:
(uint16(0) == 0x5a4d and all of them)
}