valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rule: ransomware REvil

Browse Source
This commit is contained in:
Florian Roth 2020-10-13 19:10:51 +02:00
parent 1db17193f1
commit db2a68fa64
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
yara/crime_ransom_revil.yar Normal file
View File

@ -0,0 +1,22 @@
rule MAL_RANSOM_REvil_Oct20_1 {
meta:
description = "Detects REvil ransomware"
author = "Florian Roth"
reference = "Internal Research"
date = "2020-10-13"
hash1 = "5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4"
hash2 = "f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5"
hash3 = "f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d"
hash4 = "fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501"
strings:
$op1 = { 0f 8c 74 ff ff ff 33 c0 5f 5e 5b 8b e5 5d c3 8b }
$op2 = { 8d 85 68 ff ff ff 50 e8 2a fe ff ff 8d 85 68 ff }
$op3 = { 89 4d f4 8b 4e 0c 33 4e 34 33 4e 5c 33 8e 84 }
$op4 = { 8d 85 68 ff ff ff 50 e8 05 06 00 00 8d 85 68 ff }
$op5 = { 8d 85 68 ff ff ff 56 57 ff 75 0c 50 e8 2f }
condition:
uint16(0) == 0x5a4d and
filesize < 400KB and
2 of them or 4 of them
}