15 lines
607 B
Text
15 lines
607 B
Text
|
import "pe"
|
||
|
|
||
|
rule MAL_GandCrab_Apr18_1 {
|
||
|
meta:
|
||
|
description = "Detects GandCrab malware"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://twitter.com/MarceloRivero/status/988455516094550017"
|
||
|
date = "2018-04-23"
|
||
|
hash1 = "6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff"
|
||
|
id = "ef7983cd-a7b3-5ce2-8cff-1bcf35bc6140"
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 800KB and pe.imphash() == "7936b0e9491fd747bf2675a7ec8af8ba"
|
||
|
}
|