SHARE
TWEET

Sample Yara

a guest Jan 25th, 2019 2,716 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. /* Rule Set ----------------------------------------------------------------- */
  3.  
  4. import "pe"
  5.  
  6. rule artifact_sample {
  7.    meta:
  8.       description = "sample.exe"
  9.       author = "V"
  10.       hash1 = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"
  11.    strings:
  12.       $x1 = ".?AV?$clone_impl@U?$error_info_injector@Vtask_already_started@boost@@@exception_detail@boost@@@exception_detail@boost@@" fullword ascii
  13.       $s2 = ".?AV?$clone_impl@U?$error_info_injector@Vtask_moved@boost@@@exception_detail@boost@@@exception_detail@boost@@" fullword ascii
  14.       $s3 = ".?AU?$error_info_injector@Vtask_already_started@boost@@@exception_detail@boost@@" fullword ascii
  15.       $s4 = "Attempts to restore your data with third party software as Photorec, RannohDecryptor etc." fullword wide
  16.       $s5 = "E:\\crypto-locker\\tpls_MSVC\\include\\boost-1_68\\boost/thread/concurrent_queues/detail/sync_queue_base.hpp" fullword ascii
  17.       $s6 = ".?AU?$error_info_injector@Usync_queue_is_closed@concurrent@boost@@@exception_detail@boost@@" fullword ascii
  18.       $s7 = ".?AU?$error_info_injector@Vtask_moved@boost@@@exception_detail@boost@@" fullword ascii
  19.       $s8 = ".?AV?$clone_impl@U?$error_info_injector@Vinvalid_command_line_syntax@program_options@boost@@@exception_detail@boost@@@exception_" ascii
  20.       $s9 = ".?AU?$basic_pipebuf@_WU?$char_traits@_W@std@@@process@boost@@" fullword ascii
  21.       $s10 = ".?AU?$task_shared_state@V?$_Binder@U_Unforced@std@@AAV<lambda_8a7570b976bc101d83292d43f9603e9c>@@HI@std@@X@detail@boost@@" fullword ascii
  22.       $s11 = "E:\\crypto-locker\\tpls_MSVC\\include\\boost-1_68\\boost/exception/detail/exception_ptr.hpp" fullword ascii
  23.       $s12 = "You should be thankful that the flaw was exploited by serious people and not some rookies." fullword wide
  24.       $s13 = ".?AUprocess_error@process@boost@@" fullword ascii
  25.       $s14 = ".?AV?$basic_ipstream@_WU?$char_traits@_W@std@@@process@boost@@" fullword ascii
  26.       $s15 = ".?AVwindows_file_codecvt@windows@detail@process@boost@@" fullword ascii
  27.       $s16 = ".?AV?$ModePolicyCommonTemplate@UAdditiveCipherAbstractPolicy@CryptoPP@@@CryptoPP@@" fullword ascii
  28.       $s17 = "CreateProcess failed" fullword ascii
  29.       $s18 = "CottleAkela@protonmail.com;QyavauZehyco1994@o2.pl" fullword wide
  30.       $s19 = "E:\\crypto-locker\\cryptopp\\src\\rijndael_simd.cpp" fullword ascii
  31.       $s20 = "As soon as we receive the payment you will get the decryption tool and" fullword wide
  32.    condition:
  33.       uint16(0) == 0x5a4d and filesize < 4000KB and
  34.       ( pe.imphash() == "c226ac4bab6f48634bacbb7a1d34f8f6" or ( 1 of ($x*) or 4 of them ) )
  35. }
  36.  
  37. ~
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top