Sneed-Reactivity/yara-mikesxrs/HP_Security/doc_efax_buran.yar

18 lines
665 B
Text
Raw Normal View History

rule doc_efax_buran {
meta:
author = "Alex Holland (@cryptogramfan)"
reference = "https://threatresearch.ext.hp.com/buran-ransomware-targets-german-organisations-through-malicious-spam-campaign/"
date = "2019-10-10"
sample_1 = "7DD46D28AAEC9F5B6C5F7C907BA73EA012CDE5B5DC2A45CDA80F28F7D630F1B0"
sample_2 = "856D0C14850BE7D45FA6EE58425881E5F7702FBFBAD987122BB4FF59C72507E2"
sample_3 = "33C8E805D8D8A37A93D681268ACCA252314FF02CF9488B6B2F7A27DD07A1E33A"
strings:
$vba = "vbaProject.bin" ascii nocase
$image = "image1.jpeg" ascii nocase
$padding_xml = /[a-zA-Z0-9]{5,40}\d{10}\.xml/ ascii
condition:
all of them and filesize < 800KB
}