Sneed-Reactivity/yara-mikesxrs/Mikesxrs/HermeticWiperCert.yar

12 lines
456 B
Text
Raw Normal View History

import "pe"
rule HermeticWiper_Certificate {
meta:
description = "Detects a certificate used in HermeticWiper Attack"
date = "2022-02-24"
author = "@X0RC1SM"
hash = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
malware = "HermeticWiper"
condition:
uint16(0) == 0x5a4d and for any i in (0 .. pe.number_of_signatures) : (pe.signatures[i].serial == "0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec")
}