Sneed-Reactivity/yara-mikesxrs/Tenable/cerber3.yar

22 lines
747 B
Text
Raw Permalink Normal View History

rule ammyy_cerber3 {
meta:
description = "Rule to detect Ammyy Admin / Cerber 3.0 Ransomware"
author = "Rich Walchuck"
source = "AA_v3.5.exe"
md5 = "54d07ec77e3daaf32b2ba400f34dd370"
sha1 = "3a99641ba00047e1be23dfae4fcf6242b8b8eb10"
sha256 = "99b84137b5b8b3c522414e332526785e506ed2dbe557eafc40a7bcf47b623d88"
date = "09/28/2016"
strings:
$s0 = "mailto:support@ammy.com" fullword ascii
$s1 = "@$&%04\\Uninstall.exe" fullword ascii
$s2 = "@$&%05\\encrypted.exe" fullword ascii
$s3 = "http://www.ammy.com/" fullword ascii
$s4 = "@$&%05\\AA_v3.exe" fullword ascii
$s5 = "ammy 1.00 - Smart Install Maker" fullword ascii
$s6 = "ammy 1.00 Installation" fullword wide
$s7 = "Ammy" fullword wide
condition:
all of them
}