mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 18:15:20 +00:00
35 lines
1.3 KiB
Plaintext
35 lines
1.3 KiB
Plaintext
|
|
rule SUSP_RANSOMWARE_Indicator_Jul20 {
|
|
meta:
|
|
description = "Detects ransomware indicator"
|
|
author = "Florian Roth"
|
|
reference = "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
|
|
date = "2020-07-28"
|
|
score = 60
|
|
hash1 = "52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6"
|
|
hash2 = "5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473"
|
|
hash3 = "6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306"
|
|
strings:
|
|
$ = "Decrypt.txt" ascii wide
|
|
$ = "DecryptFiles.txt" ascii wide
|
|
$ = "Decrypt-Files.txt" ascii wide
|
|
$ = "DecryptFilesHere.txt" ascii wide
|
|
$ = "DECRYPT.txt" ascii wide
|
|
$ = "DecryptFiles.txt" ascii wide
|
|
$ = "DECRYPT-FILES.txt" ascii wide
|
|
$ = "DecryptFilesHere.txt" ascii wide
|
|
$ = "DECRYPT_INSTRUCTION.TXT" ascii wide
|
|
$ = "FILES ENCRYPTED.txt" ascii wide
|
|
$ = "DECRYPT MY FILES" ascii wide
|
|
$ = "DECRYPT-MY-FILES" ascii wide
|
|
$ = "DECRYPT_MY_FILES" ascii wide
|
|
$ = "DECRYPT YOUR FILES" ascii wide
|
|
$ = "DECRYPT-YOUR-FILES" ascii wide
|
|
$ = "DECRYPT_YOUR_FILES" ascii wide
|
|
$ = "DECRYPT FILES.txt" ascii wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and
|
|
filesize < 1400KB and
|
|
1 of them
|
|
}
|