Sneed-Reactivity/yara-Neo23x0/crime_mal_grandcrab.yar

15 lines
607 B
Text
Raw Normal View History

import "pe"
rule MAL_GandCrab_Apr18_1 {
meta:
description = "Detects GandCrab malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/MarceloRivero/status/988455516094550017"
date = "2018-04-23"
hash1 = "6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff"
id = "ef7983cd-a7b3-5ce2-8cff-1bcf35bc6140"
condition:
uint16(0) == 0x5a4d and filesize < 800KB and pe.imphash() == "7936b0e9491fd747bf2675a7ec8af8ba"
}