Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-mikesxrs/Mandiant/LOCKBIT_Note_PE_v2.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

29 lines
511 B
Text
Raw Permalink Blame History

rule LOCKBIT_Note_PE_v2
{
meta:
reference = "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions"
strings:
$onion = /http:\/\/lockbit[a-z0-9]{9,49}.onion/ ascii wide
$note1 = "restore-my-files.txt" nocase ascii wide
$note2 = /lockbit[_-](ransomware|note)\.hta/ nocase ascii wide
$v2 = "LockBit_2_0_Ransom" nocase wide
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them
}
Reference in a new issue View git blame Copy permalink