20 lines
729 B
Text
20 lines
729 B
Text
|
rule ContiV2 {
|
||
|
meta:
|
||
|
description = "YARA rule for Conti Ransomware v2"
|
||
|
reference = "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/"
|
||
|
author = "@cPeterr"
|
||
|
date = "2020-12-15"
|
||
|
rule_version = "v2"
|
||
|
malware_type = "ransomware"
|
||
|
malware_family = "Ransom:W32/Conti"
|
||
|
tlp = "white"
|
||
|
strings:
|
||
|
$str1 = "polzarutu1982@protonmail.com"
|
||
|
$str2 = "http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion"
|
||
|
$str3 = "expand 32-byte k"
|
||
|
$string_decryption = { 8a 07 8d 7f 01 0f b6 c0 b9 ?? 00 00 00 2b c8 6b c1 ?? 99 f7 fe 8d 42 7f 99 f7 fe 88 57 ff }
|
||
|
$compare_size = { ?? ?? 00 00 50 00 }
|
||
|
condition:
|
||
|
all of ($str*) and $string_decryption and $compare_size
|
||
|
}
|