Sneed-Reactivity/yara-mikesxrs/chuongdong/ContiV2.yar

20 lines
729 B
Text
Raw Normal View History

rule ContiV2 {
meta:
description = "YARA rule for Conti Ransomware v2"
reference = "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/"
author = "@cPeterr"
date = "2020-12-15"
rule_version = "v2"
malware_type = "ransomware"
malware_family = "Ransom:W32/Conti"
tlp = "white"
strings:
$str1 = "polzarutu1982@protonmail.com"
$str2 = "http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion"
$str3 = "expand 32-byte k"
$string_decryption = { 8a 07 8d 7f 01 0f b6 c0 b9 ?? 00 00 00 2b c8 6b c1 ?? 99 f7 fe 8d 42 7f 99 f7 fe 88 57 ff }
$compare_size = { ?? ?? 00 00 50 00 }
condition:
all of ($str*) and $string_decryption and $compare_size
}