32 lines
553 B
Text
32 lines
553 B
Text
rule LOCKBIT_Note_PE_v1
|
|
|
|
{
|
|
meta:
|
|
reference = "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions"
|
|
|
|
strings:
|
|
|
|
|
|
|
|
$onion = /http:\/\/lockbit[a-z0-9]{9,49}.onion/ ascii wide
|
|
|
|
$note1 = "restore-my-files.txt" nocase ascii wide
|
|
|
|
$note2 = /lockbit[_-](ransomware|note)\.hta/ nocase ascii wide
|
|
|
|
$v2 = "LockBit_2_0_Ransom" nocase wide
|
|
|
|
|
|
|
|
condition:
|
|
|
|
|
|
|
|
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)
|
|
|
|
and $onion
|
|
|
|
and (all of ($note*)) and not $v2
|
|
}
|
|
|
|
|