API tools faq
paste
Advertisement
Guest User

Sample Yara

a guest
Jan 25th, 2019
4,237
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.59 KB | None | 0 0
raw download clone embed print report
  1.  
  2. /* Rule Set ----------------------------------------------------------------- */
  3.  
  4. import "pe"
  5.  
  6. rule artifact_sample {
  7. meta:
  8. description = "sample.exe"
  9. author = "V"
  10. hash1 = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"
  11. strings:
  12. $x1 = ".?AV?$clone_impl@U?$error_info_injector@Vtask_already_started@boost@@@exception_detail@boost@@@exception_detail@boost@@" fullword ascii
  13. $s2 = ".?AV?$clone_impl@U?$error_info_injector@Vtask_moved@boost@@@exception_detail@boost@@@exception_detail@boost@@" fullword ascii
  14. $s3 = ".?AU?$error_info_injector@Vtask_already_started@boost@@@exception_detail@boost@@" fullword ascii
  15. $s4 = "Attempts to restore your data with third party software as Photorec, RannohDecryptor etc." fullword wide
  16. $s5 = "E:\\crypto-locker\\tpls_MSVC\\include\\boost-1_68\\boost/thread/concurrent_queues/detail/sync_queue_base.hpp" fullword ascii
  17. $s6 = ".?AU?$error_info_injector@Usync_queue_is_closed@concurrent@boost@@@exception_detail@boost@@" fullword ascii
  18. $s7 = ".?AU?$error_info_injector@Vtask_moved@boost@@@exception_detail@boost@@" fullword ascii
  19. $s8 = ".?AV?$clone_impl@U?$error_info_injector@Vinvalid_command_line_syntax@program_options@boost@@@exception_detail@boost@@@exception_" ascii
  20. $s9 = ".?AU?$basic_pipebuf@_WU?$char_traits@_W@std@@@process@boost@@" fullword ascii
  21. $s10 = ".?AU?$task_shared_state@V?$_Binder@U_Unforced@std@@AAV<lambda_8a7570b976bc101d83292d43f9603e9c>@@HI@std@@X@detail@boost@@" fullword ascii
  22. $s11 = "E:\\crypto-locker\\tpls_MSVC\\include\\boost-1_68\\boost/exception/detail/exception_ptr.hpp" fullword ascii
  23. $s12 = "You should be thankful that the flaw was exploited by serious people and not some rookies." fullword wide
  24. $s13 = ".?AUprocess_error@process@boost@@" fullword ascii
  25. $s14 = ".?AV?$basic_ipstream@_WU?$char_traits@_W@std@@@process@boost@@" fullword ascii
  26. $s15 = ".?AVwindows_file_codecvt@windows@detail@process@boost@@" fullword ascii
  27. $s16 = ".?AV?$ModePolicyCommonTemplate@UAdditiveCipherAbstractPolicy@CryptoPP@@@CryptoPP@@" fullword ascii
  28. $s17 = "CreateProcess failed" fullword ascii
  29. $s18 = "CottleAkela@protonmail.com;QyavauZehyco1994@o2.pl" fullword wide
  30. $s19 = "E:\\crypto-locker\\cryptopp\\src\\rijndael_simd.cpp" fullword ascii
  31. $s20 = "As soon as we receive the payment you will get the decryption tool and" fullword wide
  32. condition:
  33. uint16(0) == 0x5a4d and filesize < 4000KB and
  34. ( pe.imphash() == "c226ac4bab6f48634bacbb7a1d34f8f6" or ( 1 of ($x*) or 4 of them ) )
  35. }
  36.  
  37. ~
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!