mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 18:15:20 +00:00
23 lines
937 B
Plaintext
23 lines
937 B
Plaintext
|
|
rule MAL_RANSOM_REvil_Oct20_1 {
|
|
meta:
|
|
description = "Detects REvil ransomware"
|
|
author = "Florian Roth"
|
|
reference = "Internal Research"
|
|
date = "2020-10-13"
|
|
hash1 = "5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4"
|
|
hash2 = "f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5"
|
|
hash3 = "f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d"
|
|
hash4 = "fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501"
|
|
strings:
|
|
$op1 = { 0f 8c 74 ff ff ff 33 c0 5f 5e 5b 8b e5 5d c3 8b }
|
|
$op2 = { 8d 85 68 ff ff ff 50 e8 2a fe ff ff 8d 85 68 ff }
|
|
$op3 = { 89 4d f4 8b 4e 0c 33 4e 34 33 4e 5c 33 8e 84 }
|
|
$op4 = { 8d 85 68 ff ff ff 50 e8 05 06 00 00 8d 85 68 ff }
|
|
$op5 = { 8d 85 68 ff ff ff 56 57 ff 75 0c 50 e8 2f }
|
|
condition:
|
|
uint16(0) == 0x5a4d and
|
|
filesize < 400KB and
|
|
2 of them or 4 of them
|
|
}
|