import "pe" rule APT_MAL_REvil_Kaseya_Jul21_1 { meta: description = "Detects malware used in the Kaseya supply chain attack" author = "Florian Roth (Nextron Systems)" reference = "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b" date = "2021-07-02" hash1 = "1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e" hash2 = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7" hash3 = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f" hash4 = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e" id = "7356f4ea-183f-52ec-a167-fc16b8bfb55a" strings: $s1 = "Mpsvc.dll" wide fullword $s2 = ":0:4:8:<:@:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:H