Sneed-Reactivity/yara-Neo23x0/crime_ransom_generic.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

35 lines
1.3 KiB
Text

rule SUSP_RANSOMWARE_Indicator_Jul20 {
meta:
description = "Detects ransomware indicator"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
date = "2020-07-28"
score = 60
hash1 = "52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6"
hash2 = "5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473"
hash3 = "6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306"
id = "6036fdfd-8474-5d79-ac75-137ac2efdc77"
strings:
$ = "Decrypt.txt" ascii wide
$ = "DecryptFiles.txt" ascii wide
$ = "Decrypt-Files.txt" ascii wide
$ = "DecryptFilesHere.txt" ascii wide
$ = "DECRYPT.txt" ascii wide
$ = "DecryptFiles.txt" ascii wide
$ = "DECRYPT-FILES.txt" ascii wide
$ = "DecryptFilesHere.txt" ascii wide
$ = "DECRYPT_INSTRUCTION.TXT" ascii wide
$ = "FILES ENCRYPTED.txt" ascii wide
$ = "DECRYPT MY FILES" ascii wide
$ = "DECRYPT-MY-FILES" ascii wide
$ = "DECRYPT_MY_FILES" ascii wide
$ = "DECRYPT YOUR FILES" ascii wide
$ = "DECRYPT-YOUR-FILES" ascii wide
$ = "DECRYPT_YOUR_FILES" ascii wide
$ = "DECRYPT FILES.txt" ascii wide
condition:
uint16(0) == 0x5a4d and
filesize < 1400KB and
1 of them
}