Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- https://www.hybrid-analysis.com/yara-search/results/6e0f149bbab7043a756d8414d2bd3b1b140dc2cac6cca6519140236f4bcc323b
- ~~~
- import "pe"
- import "hash"
- rule UNORDERED_ARRAY {
- condition:
- pe.rich_signature.toolid(171,40219)
- and pe.rich_signature.toolid(158,40219)
- and pe.rich_signature.toolid(170,40219)
- and pe.rich_signature.toolid(147,30729)
- and pe.rich_signature.toolid(1,0)
- and pe.rich_signature.toolid(174,40219)
- and pe.rich_signature.toolid(157,40219)
- }
- rule ORDERED_XOR {
- strings:
- $entry1 = { 71 82 2D 48 }
- $entry2 = { 71 82 18 48 }
- $entry3 = { 71 82 2C 48 }
- $entry4 = { 63 67 15 48 }
- $entry5 = { 6A 1F 87 48 }
- $entry6 = { 71 82 28 48 }
- $entry7 = { 71 82 1B 48 }
- condition:
- @entry1[1] < @entry2[1]
- and
- @entry2[1] < @entry3[1]
- and
- @entry3[1] < @entry4[1]
- and
- @entry4[1] < @entry5[1]
- and
- @entry5[1] < @entry6[1]
- and
- @entry6[1] < @entry7[1]
- }
- rule XOR_KEY {
- condition:
- pe.rich_signature.key == 0x48861F6A
- }
- rule CLEAR_DATA {
- condition:
- hash.sha256(pe.rich_signature.clear_data) == "7f73991dc669016d9c280382589b382d9b626c2c218f98f5a31868feb1624bb3"
- }
- ~~~
- should match the k.txt variant floating around
- ~~~
- rule phobos
- {
- meta:
- description = "Phobos"
- author = "James_inthe_box"
- reference = "1fb74c647bd1320d2290a34db318de7afefe5906b2b6035cc711b60f563eb59b"
- date = "2019/01"
- maltype = "Ransomware"
- strings:
- $mz = { 4d 5a }
- $string1 = "kernel32.dll"
- $string2 = "LoadLibraryA"
- $string3 = "GetProcAddress"
- $string4 = "ExitProcess"
- $string5 = "GetModuleHandleW"
- $string6 = "GetCommandLineA"
- $string7 = "HeapSetInformation"
- $string8 = "TerminateProcess"
- $string9 = "GetCurrentProcess"
- $string10 = "UnhandledExceptionFilter"
- $string11 = "SetUnhandledExceptionFilter"
- $string12 = "IsDebuggerPresent"
- $string13 = "EnterCriticalSection"
- $string14 = "LeaveCriticalSection"
- $string15 = "DecodePointer"
- $string16 = "EncodePointer"
- $string17 = "ReadFile"
- $string18 = "WriteFile"
- $string19 = "FlushFileBuffers"
- $string20 = "CloseHandle"
- $string21 = "SetFilePointer"
- $string22 = "DeleteFileA"
- $string23 = "k.txt"
- $string24 = "HRichj"
- $string25 = "QSVW"
- condition:
- ($mz at 0) and (all of ($string*)) and filesize == 117KB
- }
- ~~~
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement