18 lines
665 B
Text
18 lines
665 B
Text
|
rule doc_efax_buran {
|
||
|
meta:
|
||
|
author = "Alex Holland (@cryptogramfan)"
|
||
|
reference = "https://threatresearch.ext.hp.com/buran-ransomware-targets-german-organisations-through-malicious-spam-campaign/"
|
||
|
date = "2019-10-10"
|
||
|
sample_1 = "7DD46D28AAEC9F5B6C5F7C907BA73EA012CDE5B5DC2A45CDA80F28F7D630F1B0"
|
||
|
sample_2 = "856D0C14850BE7D45FA6EE58425881E5F7702FBFBAD987122BB4FF59C72507E2"
|
||
|
sample_3 = "33C8E805D8D8A37A93D681268ACCA252314FF02CF9488B6B2F7A27DD07A1E33A"
|
||
|
|
||
|
strings:
|
||
|
$vba = "vbaProject.bin" ascii nocase
|
||
|
$image = "image1.jpeg" ascii nocase
|
||
|
$padding_xml = /[a-zA-Z0-9]{5,40}\d{10}\.xml/ ascii
|
||
|
|
||
|
condition:
|
||
|
all of them and filesize < 800KB
|
||
|
}
|