08e8d462fe
RED PILL 🔴 💊
45 lines
1.7 KiB
Text
45 lines
1.7 KiB
Text
|
|
rule MAL_RANSOM_DarkBit_Feb23_1 {
|
|
meta:
|
|
description = "Detects indicators found in DarkBit ransomware"
|
|
author = "Florian Roth"
|
|
reference = "https://twitter.com/idonaor1/status/1624703255770005506?s=12&t=mxHaauzwR6YOj5Px8cIeIw"
|
|
date = "2023-02-13"
|
|
score = 75
|
|
id = "d209a0c2-f649-5fb1-9ecd-f1c35caa796f"
|
|
strings:
|
|
$s1 = ".onion" ascii
|
|
$s2 = "GetMOTWHostUrl"
|
|
|
|
$x1 = "hus31m7c7ad.onion"
|
|
$x2 = "iw6v2p3cruy"
|
|
$xn1 = "You will receive decrypting key after the payment."
|
|
condition:
|
|
uint16(0) == 0x5a4d and
|
|
filesize < 10MB and (
|
|
1 of ($x*) or 2 of them
|
|
) or 4 of them
|
|
or ( filesize < 10MB and $xn1 ) // Ransom note
|
|
}
|
|
|
|
rule MAL_RANSOM_DarkBit_Feb23_2 {
|
|
meta:
|
|
description = "Detects Go based DarkBit ransomware (garbled code; could trigger on other obfuscated samples, too)"
|
|
author = "Florian Roth"
|
|
reference = "https://www.hybrid-analysis.com/sample/9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff?environmentId=160"
|
|
date = "2023-02-13"
|
|
score = 75
|
|
hash1 = "9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff"
|
|
id = "f530815c-68e7-55f1-8e36-bc74a1059584"
|
|
strings:
|
|
$s1 = "runtime.initLongPathSupport" ascii fullword
|
|
$s2 = "reflect." ascii
|
|
$s3 = " \"processes\": []," ascii fullword
|
|
$s4 = "^!* %!(!" ascii fullword
|
|
|
|
$op1 = { 4d 8b b6 00 00 00 00 48 8b 94 24 40 05 00 00 31 c0 87 82 30 03 00 00 b8 01 00 00 00 f0 0f c1 82 00 03 00 00 48 8b 44 24 48 48 8b 0d ba 1f 32 00 }
|
|
$op2 = { 49 8d 49 01 0f 1f 00 48 39 d9 7c e2 b9 0b 00 00 00 49 89 d8 e9 28 fc ff ff e8 89 6c d7 ff }
|
|
condition:
|
|
uint16(0) == 0x5a4d and
|
|
filesize < 20000KB and all of them
|
|
}
|