diff --git a/yara/exploit/Win32.Exploit.CVE20200601.yara b/yara/exploit/Win32.Exploit.CVE20200601.yara index c1157b3..ae1c173 100644 --- a/yara/exploit/Win32.Exploit.CVE20200601.yara +++ b/yara/exploit/Win32.Exploit.CVE20200601.yara @@ -10,6 +10,7 @@ rule Win32_Exploit_CVE20200601 : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "EXPLOIT" + exploit = "CVE-2020-0601" description = "Yara rule that detects CVE-2020-0601 exploit." tc_detection_type = "Exploit" diff --git a/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara b/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara index a6b4e63..6ddb6ab 100644 --- a/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara +++ b/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara @@ -8,6 +8,7 @@ rule Win32_Infostealer_MultigrainPOS : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MULTIGRAINPOS" description = "Yara rule that detects MultigrainPOS infostealer." tc_detection_type = "Infostealer" diff --git a/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara b/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara index 5b34284..e2c1dfc 100644 --- a/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara +++ b/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara @@ -8,6 +8,7 @@ rule Win32_Infostealer_ProjectHookPOS : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "PROJECTHOOKPOS" description = "Yara rule that detects ProjectHookPOS infostealer." tc_detection_type = "Infostealer" diff --git a/yara/ransomware/Linux.Ransomware.KillDisk.yara b/yara/ransomware/Linux.Ransomware.KillDisk.yara index c0c0c6c..592201a 100644 --- a/yara/ransomware/Linux.Ransomware.KillDisk.yara +++ b/yara/ransomware/Linux.Ransomware.KillDisk.yara @@ -8,6 +8,7 @@ rule Linux_Ransomware_KillDisk : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "KILLDISK" description = "Yara rule that detects KillDisk ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Linux.Ransomware.LuckyJoe.yara b/yara/ransomware/Linux.Ransomware.LuckyJoe.yara new file mode 100644 index 0000000..2635f84 --- /dev/null +++ b/yara/ransomware/Linux.Ransomware.LuckyJoe.yara @@ -0,0 +1,146 @@ +rule Linux_Ransomware_LuckyJoe : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LUCKYJOE" + description = "Yara rule that detects LuckyJoe ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "LuckyJoe" + tc_detection_factor = 5 + + strings: + + $main_call_p1 = { + 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? 48 + C7 45 ?? ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? + 48 89 45 ?? 48 8B 55 ?? 48 8B 45 ?? 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 48 8D 75 ?? 48 + 8B 45 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? BE ?? ?? + ?? ?? BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 89 C7 E8 + ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? + ?? 48 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? E8 ?? ?? + ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 35 ?? ?? ?? ?? 48 83 EC ?? 48 8B 45 + ?? 6A ?? 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 C7 + E8 ?? ?? ?? ?? 48 83 C4 ?? 48 8B 15 ?? ?? ?? ?? 48 8B 45 ?? 48 89 D6 48 89 C7 E8 ?? + ?? ?? ?? 48 8B 45 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? + ?? ?? 48 98 48 89 45 ?? 48 8B 45 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 + } + + $main_call_p2 = { + 89 C7 E8 ?? ?? ?? ?? 48 98 48 89 45 ?? 48 8B 45 ?? 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? + ?? 48 89 45 ?? 48 8B 45 ?? 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 + ?? 89 C2 48 8B 4D ?? 48 8B 45 ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 89 C2 + 48 8B 4D ?? 48 8B 45 ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? ?? 48 8B 55 ?? 48 8B 45 ?? 48 + 01 D0 C6 00 ?? 48 8B 55 ?? 48 8B 45 ?? 48 01 D0 C6 00 ?? 48 8B 45 ?? 48 8B 55 ?? 48 + 89 D6 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 83 7D ?? ?? 75 ?? BF ?? ?? ?? ?? E8 ?? + ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? B8 + ?? ?? ?? ?? E9 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 45 ?? + 48 83 7D ?? ?? 74 ?? 48 8B 55 ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 + } + + $main_call_p3 = { + E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 79 ?? 48 8B 45 ?? 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? + ?? ?? E9 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 89 C7 E8 ?? ?? + ?? ?? 48 C7 45 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 45 + ?? 48 83 7D ?? ?? 74 ?? EB ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 48 8B 55 ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 89 45 ?? 83 7D ?? ?? 79 ?? 48 8B 45 ?? 89 C7 E8 ?? ?? ?? ?? EB ?? 48 8B 45 ?? 48 89 + C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 89 C7 E8 ?? ?? ?? ?? EB ?? BF ?? ?? ?? ?? E8 ?? ?? ?? + ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? + ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? 48 98 48 8B 84 + C5 ?? ?? ?? ?? 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 48 98 + 48 8B 84 C5 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 83 45 ?? ?? 83 7D ?? ?? 74 ?? BF ?? + ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 + ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files_p1 = { + 55 48 89 E5 53 48 81 EC ?? ?? ?? ?? 48 89 BD ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? BA ?? + ?? ?? ?? B9 ?? ?? ?? ?? 48 89 C7 48 89 D6 F3 48 A5 48 89 F2 48 89 F8 0F B7 0A 66 89 + 08 48 8D 40 ?? 48 8D 52 ?? 48 C7 45 ?? ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 48 C7 45 ?? ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 89 D7 + F3 48 AB 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 83 7D ?? ?? 75 + ?? 48 8B 85 ?? ?? ?? ?? 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 D6 48 89 C7 + E8 ?? ?? ?? ?? 48 8B 45 ?? 0F B6 40 ?? 3C ?? 0F 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? + 48 89 C7 E8 ?? ?? ?? ?? 48 89 C3 48 8B 45 ?? 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 + 01 D8 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 85 ?? ?? ?? ?? BE ?? ?? + ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8B 45 ?? 48 8D 48 ?? 48 8B 95 ?? ?? ?? + ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 48 8B 45 + ?? 48 8D 48 ?? 48 8B 95 ?? ?? ?? ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 4D ?? 48 8D 85 ?? ?? ?? ?? 48 89 CE 48 + 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? EB ?? 48 8B 45 ?? 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? + ?? 48 89 C2 48 8B 45 ?? 48 89 C6 48 89 D7 E8 ?? ?? ?? ?? 85 C0 75 ?? 48 8B 45 ?? 48 + } + + $encrypt_files_p2 = { + 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? + ?? EB ?? 48 8D 95 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C6 BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 + 89 45 ?? 48 83 7D ?? ?? 75 ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 + 8B 45 ?? 0F B6 40 ?? 3C ?? 0F 85 ?? ?? ?? ?? 48 8B 45 ?? 48 83 C0 ?? BE ?? ?? ?? ?? + 48 89 C7 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 45 ?? 48 83 C0 ?? BE ?? ?? ?? + ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 45 ?? 48 83 C0 ?? 48 89 45 + ?? 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C3 48 8B 45 ?? 48 89 C7 E8 ?? + ?? ?? ?? 48 01 D8 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 85 ?? ?? ?? + ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8B 45 ?? 48 8D 48 ?? 48 8B + 95 ?? ?? ?? ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB + ?? 48 8B 45 ?? 48 8D 48 ?? 48 8B 95 ?? ?? ?? ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 + C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 83 7D ?? ?? 0F + 85 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 5B 5D C3 + } + + $encrypt_internal_message_p1 = { + 55 48 89 E5 53 48 83 EC ?? 48 89 7D ?? 48 89 75 ?? 48 C7 45 ?? ?? ?? ?? ?? BF ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 89 45 ?? 48 8B + 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 83 C0 ?? 48 98 48 89 C7 E8 ?? ?? ?? + ?? 48 89 45 ?? 8B 45 ?? 83 C0 ?? 48 63 D0 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? + ?? ?? ?? 8B 45 ?? 48 63 D0 48 8B 4D ?? 48 8B 45 ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? ?? + 8B 45 ?? 48 98 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 8B 45 ?? 83 E8 ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 66 0F EF C0 F2 0F 2A 45 ?? + 66 0F EF C9 F2 0F 2A 4D ?? F2 0F 5E C1 E8 ?? ?? ?? ?? F2 0F 2C C0 89 45 ?? 8B 45 ?? + 0F AF 45 ?? 48 98 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 8B 45 ?? 0F AF 45 ?? 48 63 D0 + 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 8B 45 ?? 0F AF 45 ?? 89 C3 48 8B + 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C6 8B 45 ?? 89 C1 89 DA BF ?? ?? ?? ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? E9 ?? ?? ?? ?? 8B 45 ?? 2B 45 ?? 3B 45 ?? 7D ?? 8B 45 ?? 2B 45 ?? 89 45 ?? 8B 45 + ?? 48 63 D0 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 8B 45 ?? 2B 45 ?? 89 + } + + $encrypt_internal_message_p2 = { + C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 48 63 D0 48 8B 45 ?? 48 8D + 34 02 48 8B 4D ?? 48 8B 55 ?? 8B 45 ?? 41 B8 ?? ?? ?? ?? 89 C7 E8 ?? ?? ?? ?? 89 45 + ?? 8B 45 ?? 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? E8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C2 48 8B 45 ?? 48 89 C6 48 89 D7 E8 ?? ?? ?? ?? 48 + 8B 05 ?? ?? ?? ?? 48 8B 55 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? + 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 8B 45 ?? 48 63 D0 8B 45 ?? 48 63 C8 48 8B 45 ?? 48 01 C1 48 8B 45 ?? 48 89 C6 + 48 89 CF E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C6 BF ?? ?? ?? ?? + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 01 45 ?? 8B 45 ?? 01 45 ?? 48 8B 45 ?? 48 89 + C7 E8 ?? ?? ?? ?? 83 45 ?? ?? 8B 45 ?? 3B 45 ?? 0F 8E ?? ?? ?? ?? 48 8B 45 ?? 48 89 + C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 8B 4D ?? 48 8B 45 ?? BA ?? ?? + ?? ?? 89 CE 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? + 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 45 ?? 48 83 C4 ?? 5B 5D + C3 + } + + condition: + uint32(0) == 0x464C457F and + ( + all of ($main_call_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($encrypt_internal_message_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.5ss5c.yara b/yara/ransomware/Win32.Ransomware.5ss5c.yara index cf0e059..cdce7fe 100644 --- a/yara/ransomware/Win32.Ransomware.5ss5c.yara +++ b/yara/ransomware/Win32.Ransomware.5ss5c.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_5ss5c : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "5SS5C" description = "Yara rule that detects 5ss5c ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara b/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara index cc0fcf0..acaf3a4 100644 --- a/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara +++ b/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_ASN1Encoder : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ASN1ENCODER" description = "Yara rule that detects ASN1Encoder ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Afrodita.yara b/yara/ransomware/Win32.Ransomware.Afrodita.yara index 6b66c84..d8d3139 100644 --- a/yara/ransomware/Win32.Ransomware.Afrodita.yara +++ b/yara/ransomware/Win32.Ransomware.Afrodita.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Afrodita : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "AFRODITA" description = "Yara rule that detects Afrodita ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Ako.yara b/yara/ransomware/Win32.Ransomware.Ako.yara index 02e99fa..9227461 100644 --- a/yara/ransomware/Win32.Ransomware.Ako.yara +++ b/yara/ransomware/Win32.Ransomware.Ako.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Ako : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "AKO" description = "Yara rule that detects Ako ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Archiveus.yara b/yara/ransomware/Win32.Ransomware.Archiveus.yara index 3a0f3d1..13be18b 100644 --- a/yara/ransomware/Win32.Ransomware.Archiveus.yara +++ b/yara/ransomware/Win32.Ransomware.Archiveus.yara @@ -10,6 +10,7 @@ rule Win32_Ransomware_Archiveus : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ARCHIVEUS" description = "Yara rule that detects Archiveus ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Armage.yara b/yara/ransomware/Win32.Ransomware.Armage.yara index b7505f7..64af416 100644 --- a/yara/ransomware/Win32.Ransomware.Armage.yara +++ b/yara/ransomware/Win32.Ransomware.Armage.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Armage : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ARMAGE" description = "Yara rule that detects Armage ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Atlas.yara b/yara/ransomware/Win32.Ransomware.Atlas.yara index 4f13bce..ce32bae 100644 --- a/yara/ransomware/Win32.Ransomware.Atlas.yara +++ b/yara/ransomware/Win32.Ransomware.Atlas.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Atlas : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ATLAS" description = "Yara rule that detects Atlas ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.BKRansomware.yara b/yara/ransomware/Win32.Ransomware.BKRansomware.yara index a1022cf..8588fd3 100644 --- a/yara/ransomware/Win32.Ransomware.BKRansomware.yara +++ b/yara/ransomware/Win32.Ransomware.BKRansomware.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_BKRansomware : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "BKRANSOMWARE" description = "Yara rule that detects BKRansomware ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.BadBlock.yara b/yara/ransomware/Win32.Ransomware.BadBlock.yara index ae75664..8e5145f 100644 --- a/yara/ransomware/Win32.Ransomware.BadBlock.yara +++ b/yara/ransomware/Win32.Ransomware.BadBlock.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_BadBlock : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "BADBLOCK" description = "Yara rule that detects BadBlock ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.BandarChor.yara b/yara/ransomware/Win32.Ransomware.BandarChor.yara index 30d74d0..8e9714e 100644 --- a/yara/ransomware/Win32.Ransomware.BandarChor.yara +++ b/yara/ransomware/Win32.Ransomware.BandarChor.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_BandarChor : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "BANDARCHOR" description = "Yara rule that detects BandarChor ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.BitCrypt.yara b/yara/ransomware/Win32.Ransomware.BitCrypt.yara index 24e8186..500c25b 100644 --- a/yara/ransomware/Win32.Ransomware.BitCrypt.yara +++ b/yara/ransomware/Win32.Ransomware.BitCrypt.yara @@ -10,6 +10,7 @@ rule Win32_Ransomware_BitCrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "BITCRYPT" description = "Yara rule that detects BitCrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara b/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara index 9c12ec1..65f2090 100644 --- a/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara +++ b/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Blitzkrieg : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "BLITZKRIEG" description = "Yara rule that detects Blitzkrieg ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.BrainCrypt.yara b/yara/ransomware/Win32.Ransomware.BrainCrypt.yara index 1ee43eb..af208c6 100644 --- a/yara/ransomware/Win32.Ransomware.BrainCrypt.yara +++ b/yara/ransomware/Win32.Ransomware.BrainCrypt.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_BrainCrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "BRAINCRYPT" description = "Yara rule that detects BrainCrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Buran.yara b/yara/ransomware/Win32.Ransomware.Buran.yara index 86dcf2a..d987266 100644 --- a/yara/ransomware/Win32.Ransomware.Buran.yara +++ b/yara/ransomware/Win32.Ransomware.Buran.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Buran : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "BURAN" description = "Yara rule that detects Buran ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Clop.yara b/yara/ransomware/Win32.Ransomware.Clop.yara index 8c8cef6..1d1c0a3 100644 --- a/yara/ransomware/Win32.Ransomware.Clop.yara +++ b/yara/ransomware/Win32.Ransomware.Clop.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Clop : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CLOP" description = "Yara rule that detects Clop ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Cryakl.yara b/yara/ransomware/Win32.Ransomware.Cryakl.yara index 5ee6d38..c46b401 100644 --- a/yara/ransomware/Win32.Ransomware.Cryakl.yara +++ b/yara/ransomware/Win32.Ransomware.Cryakl.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Cryakl : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYAKL" description = "Yara rule that detects Cryakl ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Crypmic.yara b/yara/ransomware/Win32.Ransomware.Crypmic.yara index 3979326..5aded85 100644 --- a/yara/ransomware/Win32.Ransomware.Crypmic.yara +++ b/yara/ransomware/Win32.Ransomware.Crypmic.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Crypmic : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYPMIC" description = "Yara rule that detects Crypmic ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Crypren.yara b/yara/ransomware/Win32.Ransomware.Crypren.yara index a73f6c9..5d58d7b 100644 --- a/yara/ransomware/Win32.Ransomware.Crypren.yara +++ b/yara/ransomware/Win32.Ransomware.Crypren.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Crypren : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYPREN" description = "Yara rule that detects Crypren ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.CryptoBit.yara b/yara/ransomware/Win32.Ransomware.CryptoBit.yara index 3797d06..b89e4df 100644 --- a/yara/ransomware/Win32.Ransomware.CryptoBit.yara +++ b/yara/ransomware/Win32.Ransomware.CryptoBit.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_CryptoBit : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYPTOBIT" description = "Yara rule that detects CryptoBit ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.CryptoFortress.yara b/yara/ransomware/Win32.Ransomware.CryptoFortress.yara index e8db647..e0079be 100644 --- a/yara/ransomware/Win32.Ransomware.CryptoFortress.yara +++ b/yara/ransomware/Win32.Ransomware.CryptoFortress.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_CryptoFortress : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYPTOFORTRESS" description = "Yara rule that detects CryptoFortress ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.CryptoJoker.yara b/yara/ransomware/Win32.Ransomware.CryptoJoker.yara index a3f944d..fe4eb78 100644 --- a/yara/ransomware/Win32.Ransomware.CryptoJoker.yara +++ b/yara/ransomware/Win32.Ransomware.CryptoJoker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_CryptoJoker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYPTOJOKER" description = "Yara rule that detects CryptoJoker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.CryptoLocker.yara b/yara/ransomware/Win32.Ransomware.CryptoLocker.yara index ddd1404..2100460 100644 --- a/yara/ransomware/Win32.Ransomware.CryptoLocker.yara +++ b/yara/ransomware/Win32.Ransomware.CryptoLocker.yara @@ -10,6 +10,7 @@ rule Win32_Ransomware_CryptoLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYPTOLOCKER" description = "Yara rule that detects CryptoLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.CryptoWall.yara b/yara/ransomware/Win32.Ransomware.CryptoWall.yara index ea90988..6e7dbf4 100644 --- a/yara/ransomware/Win32.Ransomware.CryptoWall.yara +++ b/yara/ransomware/Win32.Ransomware.CryptoWall.yara @@ -10,6 +10,7 @@ rule Win32_Ransomware_CryptoWall : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYPTOWALL" description = "Yara rule that detects CryptoWall ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Crysis.yara b/yara/ransomware/Win32.Ransomware.Crysis.yara index 9a1b7f6..ff52cc7 100644 --- a/yara/ransomware/Win32.Ransomware.Crysis.yara +++ b/yara/ransomware/Win32.Ransomware.Crysis.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Crysis : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CRYSIS" description = "Yara rule that detects Crysis ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Cuba.yara b/yara/ransomware/Win32.Ransomware.Cuba.yara index 9972b81..a60e01c 100644 --- a/yara/ransomware/Win32.Ransomware.Cuba.yara +++ b/yara/ransomware/Win32.Ransomware.Cuba.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Cuba : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CUBA" description = "Yara rule that detects Cuba ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.DMALocker.yara b/yara/ransomware/Win32.Ransomware.DMALocker.yara index 4f9a650..9680ba2 100644 --- a/yara/ransomware/Win32.Ransomware.DMALocker.yara +++ b/yara/ransomware/Win32.Ransomware.DMALocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_DMALocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DMALOCKER" description = "Yara rule that detects DMALocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.DMR.yara b/yara/ransomware/Win32.Ransomware.DMR.yara index 4c89f9d..19c1720 100644 --- a/yara/ransomware/Win32.Ransomware.DMR.yara +++ b/yara/ransomware/Win32.Ransomware.DMR.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_DMR : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DMR" description = "Yara rule that detects DMR ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Defray.yara b/yara/ransomware/Win32.Ransomware.Defray.yara index 89c9c35..17779ef 100644 --- a/yara/ransomware/Win32.Ransomware.Defray.yara +++ b/yara/ransomware/Win32.Ransomware.Defray.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Defray : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DEFRAY" description = "Yara rule that detects Defray ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Delphimorix.yara b/yara/ransomware/Win32.Ransomware.Delphimorix.yara index 3c3d444..916ac82 100644 --- a/yara/ransomware/Win32.Ransomware.Delphimorix.yara +++ b/yara/ransomware/Win32.Ransomware.Delphimorix.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Delphimorix : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DELPHIMORIX" description = "Yara rule that detects Delphimorix ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.DenizKizi.yara b/yara/ransomware/Win32.Ransomware.DenizKizi.yara index 4794b1b..2869181 100644 --- a/yara/ransomware/Win32.Ransomware.DenizKizi.yara +++ b/yara/ransomware/Win32.Ransomware.DenizKizi.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_DenizKizi : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DENIZKIZI" description = "Yara rule that detects DenizKizi ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.DesuCrypt.yara b/yara/ransomware/Win32.Ransomware.DesuCrypt.yara index 26854f3..487f400 100644 --- a/yara/ransomware/Win32.Ransomware.DesuCrypt.yara +++ b/yara/ransomware/Win32.Ransomware.DesuCrypt.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_DesuCrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DESUCRYPT" description = "Yara rule that detects DesuCrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Dharma.yara b/yara/ransomware/Win32.Ransomware.Dharma.yara index 070b80b..effa0cd 100644 --- a/yara/ransomware/Win32.Ransomware.Dharma.yara +++ b/yara/ransomware/Win32.Ransomware.Dharma.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Dharma : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DHARMA" description = "Yara rule that detects Dharma ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara b/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara index a0bcd0c..41680a4 100644 --- a/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara +++ b/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara @@ -10,6 +10,7 @@ rule Win32_Ransomware_DirtyDecrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DIRTYDECRYPT" description = "Yara rule that detects DirtyDecrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.District.yara b/yara/ransomware/Win32.Ransomware.District.yara index 4be191d..0ba4014 100644 --- a/yara/ransomware/Win32.Ransomware.District.yara +++ b/yara/ransomware/Win32.Ransomware.District.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_District : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DISTRICT" description = "Yara rule that detects District ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Erica.yara b/yara/ransomware/Win32.Ransomware.Erica.yara index 5800699..db4e21d 100644 --- a/yara/ransomware/Win32.Ransomware.Erica.yara +++ b/yara/ransomware/Win32.Ransomware.Erica.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Erica : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ERICA" description = "Yara rule that detects Erica ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.FCT.yara b/yara/ransomware/Win32.Ransomware.FCT.yara index 0b4f8e5..d4d72a4 100644 --- a/yara/ransomware/Win32.Ransomware.FCT.yara +++ b/yara/ransomware/Win32.Ransomware.FCT.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_FCT : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "FCT" description = "Yara rule that detects FCT ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.FLKR.yara b/yara/ransomware/Win32.Ransomware.FLKR.yara index ae6f042..6f7ac3e 100644 --- a/yara/ransomware/Win32.Ransomware.FLKR.yara +++ b/yara/ransomware/Win32.Ransomware.FLKR.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_FLKR : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "FLKR" description = "Yara rule that detects FLKR ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Fantom.yara b/yara/ransomware/Win32.Ransomware.Fantom.yara index 6c2deac..1ecf5d1 100644 --- a/yara/ransomware/Win32.Ransomware.Fantom.yara +++ b/yara/ransomware/Win32.Ransomware.Fantom.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Fantom : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "FANTOM" description = "Yara rule that detects Fantom ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.FenixLocker.yara b/yara/ransomware/Win32.Ransomware.FenixLocker.yara index 5c69f20..4d82880 100644 --- a/yara/ransomware/Win32.Ransomware.FenixLocker.yara +++ b/yara/ransomware/Win32.Ransomware.FenixLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_FenixLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "FENIXLOCKER" description = "Yara rule that detects FenixLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Ferrlock.yara b/yara/ransomware/Win32.Ransomware.Ferrlock.yara index 148de54..a03b8f0 100644 --- a/yara/ransomware/Win32.Ransomware.Ferrlock.yara +++ b/yara/ransomware/Win32.Ransomware.Ferrlock.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Ferrlock : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "FERRLOCK" description = "Yara rule that detects Ferrlock ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.GPGQwerty.yara b/yara/ransomware/Win32.Ransomware.GPGQwerty.yara new file mode 100644 index 0000000..fd364f3 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.GPGQwerty.yara @@ -0,0 +1,83 @@ +rule Win32_Ransomware_GPGQwerty : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GPGQWERTY" + description = "Yara rule that detects GPGQwerty ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GPGQwerty" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 56 53 89 D3 81 EC ?? ?? ?? ?? 8D 54 24 ?? 89 04 24 89 54 24 ?? E8 ?? ?? ?? ?? 83 EC + ?? 83 F8 ?? 89 C6 74 ?? 31 C0 8D 4B ?? 66 89 43 ?? 31 C0 EB ?? 0F B7 43 ?? 83 C0 ?? + 66 3D ?? ?? 66 89 43 ?? 83 D1 ?? 0F B7 C0 0F B6 44 04 ?? 84 C0 88 01 75 ?? 8B 44 24 + ?? 24 ?? 83 F8 ?? 76 ?? C7 43 ?? ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 89 F0 5B 5E C3 66 90 + 89 43 ?? 81 C4 ?? ?? ?? ?? 89 F0 5B 5E C3 E8 ?? ?? ?? ?? 89 C3 E8 ?? ?? ?? ?? 83 F8 + ?? 89 03 74 ?? E8 ?? ?? ?? ?? 81 38 ?? ?? ?? ?? 74 ?? E8 ?? ?? ?? ?? 83 38 ?? 74 ?? + E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? EB ?? E8 ?? + ?? ?? ?? C7 00 ?? ?? ?? ?? EB ?? 90 56 53 89 D3 81 EC ?? ?? ?? ?? 8D 54 24 ?? 89 04 + 24 89 54 24 ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 89 C6 74 ?? 31 C0 8D 4B ?? 66 89 43 ?? + 31 C0 EB ?? 0F B7 43 ?? 83 C0 ?? 66 3D ?? ?? 66 89 43 ?? 83 D1 ?? 0F B7 C0 0F B6 44 + 04 ?? 84 C0 88 01 75 ?? 8B 44 24 ?? 24 ?? 83 F8 ?? 77 ?? 89 43 ?? 81 C4 ?? ?? ?? ?? + 89 F0 5B 5E C3 8D B4 26 ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 89 F0 5B + 5E C3 E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? 81 C4 ?? ?? ?? + ?? 89 F0 5B 5E C3 + } + + $find_files_p2 = { + 8B 45 ?? 89 45 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 95 C0 84 + C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? + ?? 85 C0 74 ?? 8B 45 ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 + C0 74 ?? C6 85 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? + ?? ?? ?? 8B 45 ?? 83 C0 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 94 C0 84 C0 0F 84 + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 83 + C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 45 + ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 8B 45 ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E8 + } + + $encrypt_files = { + C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 + C0 ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 44 + 24 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? + ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 C2 B8 + ?? ?? ?? ?? 89 D7 F2 AE 89 C8 F7 D0 8D 50 ?? 8D 85 ?? ?? ?? ?? 01 D0 66 C7 00 ?? ?? + 8B 45 ?? 83 E8 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.GandCrab.yara b/yara/ransomware/Win32.Ransomware.GandCrab.yara index e230948..5cc8686 100644 --- a/yara/ransomware/Win32.Ransomware.GandCrab.yara +++ b/yara/ransomware/Win32.Ransomware.GandCrab.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_GandCrab : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "GANDCRAB" description = "Yara rule that detects GandCrab ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara b/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara index 12ad992..9214497 100644 --- a/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara +++ b/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_GarrantyDecrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "GARRANTYDECRYPT" description = "Yara rule that detects GarrantyDecrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Gibon.yara b/yara/ransomware/Win32.Ransomware.Gibon.yara index c86fc83..0284ed8 100644 --- a/yara/ransomware/Win32.Ransomware.Gibon.yara +++ b/yara/ransomware/Win32.Ransomware.Gibon.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Gibon : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "GIBON" description = "Yara rule that detects Gibon ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.GlobeImposter.yara b/yara/ransomware/Win32.Ransomware.GlobeImposter.yara index 6875d52..03f8c87 100644 --- a/yara/ransomware/Win32.Ransomware.GlobeImposter.yara +++ b/yara/ransomware/Win32.Ransomware.GlobeImposter.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_GlobeImposter : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "GLOBEIMPOSTER" description = "Yara rule that detects GlobeImposter ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Good.yara b/yara/ransomware/Win32.Ransomware.Good.yara index 77b812c..c5121d8 100644 --- a/yara/ransomware/Win32.Ransomware.Good.yara +++ b/yara/ransomware/Win32.Ransomware.Good.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Good : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "GOOD" description = "Yara rule that detects Good ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Gpcode.yara b/yara/ransomware/Win32.Ransomware.Gpcode.yara index 6095f0c..24660e2 100644 --- a/yara/ransomware/Win32.Ransomware.Gpcode.yara +++ b/yara/ransomware/Win32.Ransomware.Gpcode.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_GPCode : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "GPCODE" description = "Yara rule that detects Gpcode ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.HDDCryptor.yara b/yara/ransomware/Win32.Ransomware.HDDCryptor.yara index 1b00ccf..4ee943a 100644 --- a/yara/ransomware/Win32.Ransomware.HDDCryptor.yara +++ b/yara/ransomware/Win32.Ransomware.HDDCryptor.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_HDDCryptor : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "HDDCRYPTOR" description = "Yara rule that detects HDDCryptor ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.HDMR.yara b/yara/ransomware/Win32.Ransomware.HDMR.yara index 8570970..e513b13 100644 --- a/yara/ransomware/Win32.Ransomware.HDMR.yara +++ b/yara/ransomware/Win32.Ransomware.HDMR.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_HDMR : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "HDMR" description = "Yara rule that detects HDMR ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Hermes.yara b/yara/ransomware/Win32.Ransomware.Hermes.yara index 3dfa61a..8eb68a1 100644 --- a/yara/ransomware/Win32.Ransomware.Hermes.yara +++ b/yara/ransomware/Win32.Ransomware.Hermes.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Hermes : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "HERMES" description = "Yara rule that detects Hermes ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.HydraCrypt.yara b/yara/ransomware/Win32.Ransomware.HydraCrypt.yara index 9a36bca..c49caf9 100644 --- a/yara/ransomware/Win32.Ransomware.HydraCrypt.yara +++ b/yara/ransomware/Win32.Ransomware.HydraCrypt.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_HydraCrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "HYDRACRYPT" description = "Yara rule that detects HydraCrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.IFN643.yara b/yara/ransomware/Win32.Ransomware.IFN643.yara index 3fb0c90..2e44f55 100644 --- a/yara/ransomware/Win32.Ransomware.IFN643.yara +++ b/yara/ransomware/Win32.Ransomware.IFN643.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_IFN643 : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "IFN643" description = "Yara rule that detects IFN643 ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.JSWorm.yara b/yara/ransomware/Win32.Ransomware.JSWorm.yara index dfca1d5..86b338c 100644 --- a/yara/ransomware/Win32.Ransomware.JSWorm.yara +++ b/yara/ransomware/Win32.Ransomware.JSWorm.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_JSWorm : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "JSWORM" description = "Yara rule that detects JSWorm ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Jamper.yara b/yara/ransomware/Win32.Ransomware.Jamper.yara index a0238e6..95d0b26 100644 --- a/yara/ransomware/Win32.Ransomware.Jamper.yara +++ b/yara/ransomware/Win32.Ransomware.Jamper.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Jamper : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "JAMPER" description = "Yara rule that detects Jamper ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Jemd.yara b/yara/ransomware/Win32.Ransomware.Jemd.yara index dfd5712..76e2d50 100644 --- a/yara/ransomware/Win32.Ransomware.Jemd.yara +++ b/yara/ransomware/Win32.Ransomware.Jemd.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Jemd : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "JEMD" description = "Yara rule that detects Jemd ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Kangaroo.yara b/yara/ransomware/Win32.Ransomware.Kangaroo.yara index 9c04699..26e4c8b 100644 --- a/yara/ransomware/Win32.Ransomware.Kangaroo.yara +++ b/yara/ransomware/Win32.Ransomware.Kangaroo.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Kangaroo : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "KANGAROO" description = "Yara rule that detects Kangaroo ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.KillDisk.yara b/yara/ransomware/Win32.Ransomware.KillDisk.yara index 0feb75c..35f361e 100644 --- a/yara/ransomware/Win32.Ransomware.KillDisk.yara +++ b/yara/ransomware/Win32.Ransomware.KillDisk.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_KillDisk : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "KILLDISK" description = "Yara rule that detects KillDisk ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Kovter.yara b/yara/ransomware/Win32.Ransomware.Kovter.yara index 13a25eb..b87261f 100644 --- a/yara/ransomware/Win32.Ransomware.Kovter.yara +++ b/yara/ransomware/Win32.Ransomware.Kovter.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Kovter : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "KOVTER" description = "Yara rule that detects Kovter ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Kraken.yara b/yara/ransomware/Win32.Ransomware.Kraken.yara index c3e0030..b35214d 100644 --- a/yara/ransomware/Win32.Ransomware.Kraken.yara +++ b/yara/ransomware/Win32.Ransomware.Kraken.yara @@ -8,6 +8,7 @@ rule Linux_Ransomware_Kraken : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "KRAKEN" description = "Yara rule that detects Kraken ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Ladon.yara b/yara/ransomware/Win32.Ransomware.Ladon.yara index f5fde5b..d6392d5 100644 --- a/yara/ransomware/Win32.Ransomware.Ladon.yara +++ b/yara/ransomware/Win32.Ransomware.Ladon.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Ladon : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "LADON" description = "Yara rule that detects Ladon ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.LeChiffre.yara b/yara/ransomware/Win32.Ransomware.LeChiffre.yara index dc5d482..b12f5f0 100644 --- a/yara/ransomware/Win32.Ransomware.LeChiffre.yara +++ b/yara/ransomware/Win32.Ransomware.LeChiffre.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_LeChiffre : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "LECHIFFRE" description = "Yara rule that detects LeChiffre ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.LockBit.yara b/yara/ransomware/Win32.Ransomware.LockBit.yara index eb5703f..5076ab9 100644 --- a/yara/ransomware/Win32.Ransomware.LockBit.yara +++ b/yara/ransomware/Win32.Ransomware.LockBit.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_LockBit : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "LOCKBIT" description = "Yara rule that detects LockBit ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.LooCipher.yara b/yara/ransomware/Win32.Ransomware.LooCipher.yara index 677abfa..43767b5 100644 --- a/yara/ransomware/Win32.Ransomware.LooCipher.yara +++ b/yara/ransomware/Win32.Ransomware.LooCipher.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_LooCipher : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "LOOCIPHER" description = "Yara rule that detects LooCipher ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.MZP.yara b/yara/ransomware/Win32.Ransomware.MZP.yara index c3ebee5..ca82197 100644 --- a/yara/ransomware/Win32.Ransomware.MZP.yara +++ b/yara/ransomware/Win32.Ransomware.MZP.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_MZP : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MZP" description = "Yara rule that detects MZP ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Mafia.yara b/yara/ransomware/Win32.Ransomware.Mafia.yara index d510676..887c19b 100644 --- a/yara/ransomware/Win32.Ransomware.Mafia.yara +++ b/yara/ransomware/Win32.Ransomware.Mafia.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Mafia : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MAFIA" description = "Yara rule that detects Mafia ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Magniber.yara b/yara/ransomware/Win32.Ransomware.Magniber.yara index 7b8b104..b7a7040 100644 --- a/yara/ransomware/Win32.Ransomware.Magniber.yara +++ b/yara/ransomware/Win32.Ransomware.Magniber.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Magniber : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MAGNIBER" description = "Yara rule that detects Magniber ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Maktub.yara b/yara/ransomware/Win32.Ransomware.Maktub.yara index 8455fee..f5f8306 100644 --- a/yara/ransomware/Win32.Ransomware.Maktub.yara +++ b/yara/ransomware/Win32.Ransomware.Maktub.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Maktub : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MAKTUB" description = "Yara rule that detects Maktub ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.MarsJoke.yara b/yara/ransomware/Win32.Ransomware.MarsJoke.yara index 2b5a516..572becf 100644 --- a/yara/ransomware/Win32.Ransomware.MarsJoke.yara +++ b/yara/ransomware/Win32.Ransomware.MarsJoke.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_MarsJoke : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MARSJOKE" description = "Yara rule that detects MarsJoke ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Matsnu.yara b/yara/ransomware/Win32.Ransomware.Matsnu.yara index 49bde70..b457ba8 100644 --- a/yara/ransomware/Win32.Ransomware.Matsnu.yara +++ b/yara/ransomware/Win32.Ransomware.Matsnu.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Matsnu : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MATSNU" description = "Yara rule that detects Matsnu ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.MedusaLocker.yara b/yara/ransomware/Win32.Ransomware.MedusaLocker.yara index 36e4246..600810e 100644 --- a/yara/ransomware/Win32.Ransomware.MedusaLocker.yara +++ b/yara/ransomware/Win32.Ransomware.MedusaLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_MedusaLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MEDUSALOCKER" description = "Yara rule that detects MedusaLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Montserrat.yara b/yara/ransomware/Win32.Ransomware.Montserrat.yara index f100627..4b0912e 100644 --- a/yara/ransomware/Win32.Ransomware.Montserrat.yara +++ b/yara/ransomware/Win32.Ransomware.Montserrat.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Montserrat : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MONTSERRAT" description = "Yara rule that detects Montserrat ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.NanoLocker.yara b/yara/ransomware/Win32.Ransomware.NanoLocker.yara index 2c4cc6c..25a5ceb 100644 --- a/yara/ransomware/Win32.Ransomware.NanoLocker.yara +++ b/yara/ransomware/Win32.Ransomware.NanoLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_NanoLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "NANOLOCKER" description = "Yara rule that detects NanoLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Nefilim.yara b/yara/ransomware/Win32.Ransomware.Nefilim.yara index c01efa0..81c9ef7 100644 --- a/yara/ransomware/Win32.Ransomware.Nefilim.yara +++ b/yara/ransomware/Win32.Ransomware.Nefilim.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Nefilim : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "NEFILIM" description = "Yara rule that detects Nefilim ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Nemty.yara b/yara/ransomware/Win32.Ransomware.Nemty.yara index beb8ed1..ae58e30 100644 --- a/yara/ransomware/Win32.Ransomware.Nemty.yara +++ b/yara/ransomware/Win32.Ransomware.Nemty.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Nemty : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "NEMTY" description = "Yara rule that detects Nemty ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.NotPetya.yara b/yara/ransomware/Win32.Ransomware.NotPetya.yara index 56bd2dd..1c6000e 100644 --- a/yara/ransomware/Win32.Ransomware.NotPetya.yara +++ b/yara/ransomware/Win32.Ransomware.NotPetya.yara @@ -9,6 +9,7 @@ rule Win32_Ransomware_NotPetya : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "NOTPETYA" description = "Yara rule that detects NotPetya ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.OphionLocker.yara b/yara/ransomware/Win32.Ransomware.OphionLocker.yara index 968aaca..dc45338 100644 --- a/yara/ransomware/Win32.Ransomware.OphionLocker.yara +++ b/yara/ransomware/Win32.Ransomware.OphionLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_OphionLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "OPHIONLOCKER" description = "Yara rule that detects OphionLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Ouroboros.yara b/yara/ransomware/Win32.Ransomware.Ouroboros.yara index cd0b2c3..67456e6 100644 --- a/yara/ransomware/Win32.Ransomware.Ouroboros.yara +++ b/yara/ransomware/Win32.Ransomware.Ouroboros.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Ouroboros : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "OUROBOROS" description = "Yara rule that detects Ouroboros ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.PXJ.yara b/yara/ransomware/Win32.Ransomware.PXJ.yara index cb108b8..5c9acd6 100644 --- a/yara/ransomware/Win32.Ransomware.PXJ.yara +++ b/yara/ransomware/Win32.Ransomware.PXJ.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_PXJ : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "PXJ" description = "Yara rule that detects PXJ ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Pacman.yara b/yara/ransomware/Win32.Ransomware.Pacman.yara index a1bf307..27ed27d 100644 --- a/yara/ransomware/Win32.Ransomware.Pacman.yara +++ b/yara/ransomware/Win32.Ransomware.Pacman.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Pacman : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "PACMAN" description = "Yara rule that detects Pacman ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Paradise.yara b/yara/ransomware/Win32.Ransomware.Paradise.yara index f6dd8b3..c3a1034 100644 --- a/yara/ransomware/Win32.Ransomware.Paradise.yara +++ b/yara/ransomware/Win32.Ransomware.Paradise.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Paradise : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "PARADISE" description = "Yara rule that detects Paradise ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Petya.yara b/yara/ransomware/Win32.Ransomware.Petya.yara index 1130111..daca5e0 100644 --- a/yara/ransomware/Win32.Ransomware.Petya.yara +++ b/yara/ransomware/Win32.Ransomware.Petya.yara @@ -11,6 +11,7 @@ rule Win32_Ransomware_Petya : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "PETYA" description = "Yara rule that detects Petya ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.PrincessLocker.yara b/yara/ransomware/Win32.Ransomware.PrincessLocker.yara index efab4e5..510bb9f 100644 --- a/yara/ransomware/Win32.Ransomware.PrincessLocker.yara +++ b/yara/ransomware/Win32.Ransomware.PrincessLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_PrincessLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "PRINCESSLOCKER" description = "Yara rule that detects PrincessLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.RagnarLocker.yara b/yara/ransomware/Win32.Ransomware.RagnarLocker.yara index 9d85ca3..4539842 100644 --- a/yara/ransomware/Win32.Ransomware.RagnarLocker.yara +++ b/yara/ransomware/Win32.Ransomware.RagnarLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_RagnarLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "RAGNARLOCKER" description = "Yara rule that detects RagnarLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Ragnarok.yara b/yara/ransomware/Win32.Ransomware.Ragnarok.yara index 86a79da..78b4f8d 100644 --- a/yara/ransomware/Win32.Ransomware.Ragnarok.yara +++ b/yara/ransomware/Win32.Ransomware.Ragnarok.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Ragnarok : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "RAGNAROK" description = "Yara rule that detects Ragnarok ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Ransoc.yara b/yara/ransomware/Win32.Ransomware.Ransoc.yara index 65cd668..5a58df6 100644 --- a/yara/ransomware/Win32.Ransomware.Ransoc.yara +++ b/yara/ransomware/Win32.Ransomware.Ransoc.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Ransoc : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "RANSOC" description = "Yara rule that detects Ransoc ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.RansomPlus.yara b/yara/ransomware/Win32.Ransomware.RansomPlus.yara index a51d1e3..5ee89a5 100644 --- a/yara/ransomware/Win32.Ransomware.RansomPlus.yara +++ b/yara/ransomware/Win32.Ransomware.RansomPlus.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_RansomPlus : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "RANSOMPLUS" description = "Yara rule that detects RansomPlus ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.RetMyData.yara b/yara/ransomware/Win32.Ransomware.RetMyData.yara index cc23611..4a429bf 100644 --- a/yara/ransomware/Win32.Ransomware.RetMyData.yara +++ b/yara/ransomware/Win32.Ransomware.RetMyData.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_RetMyData : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "RETMYDATA" description = "Yara rule that detects RetMyData ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Retis.yara b/yara/ransomware/Win32.Ransomware.Retis.yara index 2c1fcd8..4df0c4b 100644 --- a/yara/ransomware/Win32.Ransomware.Retis.yara +++ b/yara/ransomware/Win32.Ransomware.Retis.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Retis : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "RETIS" description = "Yara rule that detects Retis ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Reveton.yara b/yara/ransomware/Win32.Ransomware.Reveton.yara index caeece7..76bba0c 100644 --- a/yara/ransomware/Win32.Ransomware.Reveton.yara +++ b/yara/ransomware/Win32.Ransomware.Reveton.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Reveton : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "REVETON" description = "Yara rule that detects Reveton ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Revil.yara b/yara/ransomware/Win32.Ransomware.Revil.yara index c4c99f7..b30b4af 100644 --- a/yara/ransomware/Win32.Ransomware.Revil.yara +++ b/yara/ransomware/Win32.Ransomware.Revil.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Revil : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "REVIL" description = "Yara rule that detects Revil ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Rokku.yara b/yara/ransomware/Win32.Ransomware.Rokku.yara index b3c6a41..e84eb58 100644 --- a/yara/ransomware/Win32.Ransomware.Rokku.yara +++ b/yara/ransomware/Win32.Ransomware.Rokku.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Rokku : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ROKKU" description = "Yara rule that detects Rokku ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Ryuk.yara b/yara/ransomware/Win32.Ransomware.Ryuk.yara index ed8b218..e69d266 100644 --- a/yara/ransomware/Win32.Ransomware.Ryuk.yara +++ b/yara/ransomware/Win32.Ransomware.Ryuk.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Ryuk : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "RYUK" description = "Yara rule that detects Ryuk ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Sage.yara b/yara/ransomware/Win32.Ransomware.Sage.yara index b9aacf3..620c0c4 100644 --- a/yara/ransomware/Win32.Ransomware.Sage.yara +++ b/yara/ransomware/Win32.Ransomware.Sage.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Sage : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SAGE" description = "Yara rule that detects Sage ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Satan.yara b/yara/ransomware/Win32.Ransomware.Satan.yara index 7dea670..d1a15c3 100644 --- a/yara/ransomware/Win32.Ransomware.Satan.yara +++ b/yara/ransomware/Win32.Ransomware.Satan.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Satan : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SATAN" description = "Yara rule that detects Satan ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Satana.yara b/yara/ransomware/Win32.Ransomware.Satana.yara index 301e660..8983470 100644 --- a/yara/ransomware/Win32.Ransomware.Satana.yara +++ b/yara/ransomware/Win32.Ransomware.Satana.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Satana : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SATANA" description = "Yara rule that detects Satana ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Sepsis.yara b/yara/ransomware/Win32.Ransomware.Sepsis.yara index 6ff742b..2f658bb 100644 --- a/yara/ransomware/Win32.Ransomware.Sepsis.yara +++ b/yara/ransomware/Win32.Ransomware.Sepsis.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Sepsis : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SEPSIS" description = "Yara rule that detects Sepsis ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Serpent.yara b/yara/ransomware/Win32.Ransomware.Serpent.yara index da64489..2f9a811 100644 --- a/yara/ransomware/Win32.Ransomware.Serpent.yara +++ b/yara/ransomware/Win32.Ransomware.Serpent.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Serpent : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SERPENT" description = "Yara rule that detects Serpent ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara b/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara index 7631c86..29bfd2a 100644 --- a/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara +++ b/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_SevenSevenSeven : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SEVENSEVENSEVEN" description = "Yara rule that detects SevenSevenSeven ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Sherminator.yara b/yara/ransomware/Win32.Ransomware.Sherminator.yara index f13712f..e176338 100644 --- a/yara/ransomware/Win32.Ransomware.Sherminator.yara +++ b/yara/ransomware/Win32.Ransomware.Sherminator.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Sherminator : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SHERMINATOR" description = "Yara rule that detects Sherminator ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Sifrelendi.yara b/yara/ransomware/Win32.Ransomware.Sifrelendi.yara index df3fe6c..a7c022e 100644 --- a/yara/ransomware/Win32.Ransomware.Sifrelendi.yara +++ b/yara/ransomware/Win32.Ransomware.Sifrelendi.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Sifrelendi : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SIFRELENDI" description = "Yara rule that detects Sifrelendi ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Sigrun.yara b/yara/ransomware/Win32.Ransomware.Sigrun.yara index ff8edc2..c028f7f 100644 --- a/yara/ransomware/Win32.Ransomware.Sigrun.yara +++ b/yara/ransomware/Win32.Ransomware.Sigrun.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Sigrun : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SIGRUN" description = "Yara rule that detects Sigrun ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Spora.yara b/yara/ransomware/Win32.Ransomware.Spora.yara index 6733300..59e306f 100644 --- a/yara/ransomware/Win32.Ransomware.Spora.yara +++ b/yara/ransomware/Win32.Ransomware.Spora.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Spora : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SPORA" description = "Yara rule that detects Spora ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.TBLocker.yara b/yara/ransomware/Win32.Ransomware.TBLocker.yara index 619810c..a4eb66c 100644 --- a/yara/ransomware/Win32.Ransomware.TBLocker.yara +++ b/yara/ransomware/Win32.Ransomware.TBLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_TBLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "TBLOCKER" description = "Yara rule that detects TBLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.TeleCrypt.yara b/yara/ransomware/Win32.Ransomware.TeleCrypt.yara index 51f0057..9d44607 100644 --- a/yara/ransomware/Win32.Ransomware.TeleCrypt.yara +++ b/yara/ransomware/Win32.Ransomware.TeleCrypt.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_TeleCrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "TELECRYPT" description = "Yara rule that detects TeleCrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Teslacrypt.yara b/yara/ransomware/Win32.Ransomware.Teslacrypt.yara index 5b25e8e..afb2808 100644 --- a/yara/ransomware/Win32.Ransomware.Teslacrypt.yara +++ b/yara/ransomware/Win32.Ransomware.Teslacrypt.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Teslacrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "TESLACRYPT" description = "Yara rule that detects Teslacrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.TorrentLocker.yara b/yara/ransomware/Win32.Ransomware.TorrentLocker.yara index 03e62c4..da7ba13 100644 --- a/yara/ransomware/Win32.Ransomware.TorrentLocker.yara +++ b/yara/ransomware/Win32.Ransomware.TorrentLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_TorrentLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "TORRENTLOCKER" description = "Yara rule that detects TorrentLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.VHDLocker.yara b/yara/ransomware/Win32.Ransomware.VHDLocker.yara index 54ca316..d972d3a 100644 --- a/yara/ransomware/Win32.Ransomware.VHDLocker.yara +++ b/yara/ransomware/Win32.Ransomware.VHDLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_VHDLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "VHDLOCKER" description = "Yara rule that detects VHDLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.VegaLocker.yara b/yara/ransomware/Win32.Ransomware.VegaLocker.yara index 59d9dea..b5d3e44 100644 --- a/yara/ransomware/Win32.Ransomware.VegaLocker.yara +++ b/yara/ransomware/Win32.Ransomware.VegaLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_VegaLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "VEGALOCKER" description = "Yara rule that detects VegaLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Velso.yara b/yara/ransomware/Win32.Ransomware.Velso.yara index 145ca7f..0d7d79c 100644 --- a/yara/ransomware/Win32.Ransomware.Velso.yara +++ b/yara/ransomware/Win32.Ransomware.Velso.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Velso : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "VELSO" description = "Yara rule that detects Velso ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.WannaCry.yara b/yara/ransomware/Win32.Ransomware.WannaCry.yara index f71cf69..e87264a 100644 --- a/yara/ransomware/Win32.Ransomware.WannaCry.yara +++ b/yara/ransomware/Win32.Ransomware.WannaCry.yara @@ -10,6 +10,7 @@ rule Win32_Ransomware_WannaCry : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "WANNACRY" description = "Yara rule that detects WannaCry ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.WildFire.yara b/yara/ransomware/Win32.Ransomware.WildFire.yara index d92b9ea..3510363 100644 --- a/yara/ransomware/Win32.Ransomware.WildFire.yara +++ b/yara/ransomware/Win32.Ransomware.WildFire.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_WildFire : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "WILDFIRE" description = "Yara rule that detects WildFire ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Xorist.yara b/yara/ransomware/Win32.Ransomware.Xorist.yara index 0b31913..abd2b37 100644 --- a/yara/ransomware/Win32.Ransomware.Xorist.yara +++ b/yara/ransomware/Win32.Ransomware.Xorist.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Xorist : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "XORIST" description = "Yara rule that detects Xorist ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Zeppelin.yara b/yara/ransomware/Win32.Ransomware.Zeppelin.yara index 7f55966..a12534c 100644 --- a/yara/ransomware/Win32.Ransomware.Zeppelin.yara +++ b/yara/ransomware/Win32.Ransomware.Zeppelin.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Zeppelin : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ZEPPELIN" description = "Yara rule that detects Zeppelin ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara b/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara index f224042..24ee6d0 100644 --- a/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara +++ b/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_ZeroCrypt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ZEROCRYPT" description = "Yara rule that detects ZeroCrypt ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.ZeroLocker.yara b/yara/ransomware/Win32.Ransomware.ZeroLocker.yara index b44ea29..a3137dd 100644 --- a/yara/ransomware/Win32.Ransomware.ZeroLocker.yara +++ b/yara/ransomware/Win32.Ransomware.ZeroLocker.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_ZeroLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ZEROLOCKER" description = "Yara rule that detects ZeroLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win32.Ransomware.Zoldon.yara b/yara/ransomware/Win32.Ransomware.Zoldon.yara index 68fea4d..ded58a0 100644 --- a/yara/ransomware/Win32.Ransomware.Zoldon.yara +++ b/yara/ransomware/Win32.Ransomware.Zoldon.yara @@ -8,6 +8,7 @@ rule Win32_Ransomware_Zoldon : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ZOLDON" description = "Yara rule that detects Zoldon ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win64.Ransomware.Ako.yara b/yara/ransomware/Win64.Ransomware.Ako.yara index 27f6ee7..4556b78 100644 --- a/yara/ransomware/Win64.Ransomware.Ako.yara +++ b/yara/ransomware/Win64.Ransomware.Ako.yara @@ -8,6 +8,7 @@ rule Win64_Ransomware_Ako : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "AKO" description = "Yara rule that detects Ako ransomware." tc_detection_type = "Ransomware" diff --git a/yara/ransomware/Win64.Ransomware.SeedLocker.yara b/yara/ransomware/Win64.Ransomware.SeedLocker.yara index 3651abf..1eae8ec 100644 --- a/yara/ransomware/Win64.Ransomware.SeedLocker.yara +++ b/yara/ransomware/Win64.Ransomware.SeedLocker.yara @@ -8,6 +8,7 @@ rule Win64_Ransomware_SeedLocker : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "SEEDLOCKER" description = "Yara rule that detects SeedLocker ransomware." tc_detection_type = "Ransomware" diff --git a/yara/trojan/Win32.Trojan.Dridex.yara b/yara/trojan/Win32.Trojan.Dridex.yara index 4b9ea2d..5257a62 100644 --- a/yara/trojan/Win32.Trojan.Dridex.yara +++ b/yara/trojan/Win32.Trojan.Dridex.yara @@ -8,6 +8,7 @@ rule Win32_Trojan_Dridex : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DRIDEX" description = "Yara rule that detects Dridex trojan." tc_detection_type = "Trojan" diff --git a/yara/trojan/Win32.Trojan.Emotet.yara b/yara/trojan/Win32.Trojan.Emotet.yara index 558698c..6076818 100644 --- a/yara/trojan/Win32.Trojan.Emotet.yara +++ b/yara/trojan/Win32.Trojan.Emotet.yara @@ -8,6 +8,7 @@ rule Win32_Trojan_Emotet : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "EMOTET" description = "Yara rule that detects Emotet trojan." tc_detection_type = "Trojan" diff --git a/yara/trojan/Win32.Trojan.TrickBot.yara b/yara/trojan/Win32.Trojan.TrickBot.yara index 6c8fa64..f9d2f15 100644 --- a/yara/trojan/Win32.Trojan.TrickBot.yara +++ b/yara/trojan/Win32.Trojan.TrickBot.yara @@ -8,6 +8,7 @@ rule Win32_Trojan_TrickBot : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "TRICKBOT" description = "Yara rule that detects TrickBot trojan." tc_detection_type = "Trojan" diff --git a/yara/virus/Linux.Virus.Vit.yara b/yara/virus/Linux.Virus.Vit.yara index ddb8fd8..eb31c5d 100644 --- a/yara/virus/Linux.Virus.Vit.yara +++ b/yara/virus/Linux.Virus.Vit.yara @@ -10,6 +10,7 @@ rule Linux_Virus_Vit : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "VIT" description = "Yara rule that detects Vit virus." tc_detection_type = "Virus" diff --git a/yara/virus/Win32.Virus.Awfull.yara b/yara/virus/Win32.Virus.Awfull.yara index d2df6d6..c4789e8 100644 --- a/yara/virus/Win32.Virus.Awfull.yara +++ b/yara/virus/Win32.Virus.Awfull.yara @@ -10,6 +10,7 @@ rule Win32_Virus_Awfull : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "AWFULL" description = "Yara rule that detects Awfull virus." tc_detection_type = "Virus" diff --git a/yara/virus/Win32.Virus.Cmay.yara b/yara/virus/Win32.Virus.Cmay.yara index 04bf8b7..9cd751f 100644 --- a/yara/virus/Win32.Virus.Cmay.yara +++ b/yara/virus/Win32.Virus.Cmay.yara @@ -10,6 +10,7 @@ rule Win32_Virus_Cmay : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "CMAY" description = "Yara rule that detects Cmay virus." tc_detection_type = "Virus" diff --git a/yara/virus/Win32.Virus.DeadCode.yara b/yara/virus/Win32.Virus.DeadCode.yara index 0f70f96..0116d1f 100644 --- a/yara/virus/Win32.Virus.DeadCode.yara +++ b/yara/virus/Win32.Virus.DeadCode.yara @@ -10,6 +10,7 @@ rule Win32_Virus_DeadCode : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "DEADCODE" description = "Yara rule that detects DeadCode virus." tc_detection_type = "Virus" diff --git a/yara/virus/Win32.Virus.Elerad.yara b/yara/virus/Win32.Virus.Elerad.yara index ba77b75..1d435e6 100644 --- a/yara/virus/Win32.Virus.Elerad.yara +++ b/yara/virus/Win32.Virus.Elerad.yara @@ -10,6 +10,7 @@ rule Win32_Virus_Elerad : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "ELERAD" description = "Yara rule that detects Elerad virus." tc_detection_type = "Virus" diff --git a/yara/virus/Win32.Virus.Greenp.yara b/yara/virus/Win32.Virus.Greenp.yara index 85451dd..f8257e2 100644 --- a/yara/virus/Win32.Virus.Greenp.yara +++ b/yara/virus/Win32.Virus.Greenp.yara @@ -10,6 +10,7 @@ rule Win32_Virus_Greenp : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "GREENP" description = "Yara rule that detects Greenp virus." tc_detection_type = "Virus" diff --git a/yara/virus/Win32.Virus.Mocket.yara b/yara/virus/Win32.Virus.Mocket.yara index 9da9e25..5cd16df 100644 --- a/yara/virus/Win32.Virus.Mocket.yara +++ b/yara/virus/Win32.Virus.Mocket.yara @@ -10,6 +10,7 @@ rule Win32_Virus_Mocket : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "MOCKET" description = "Yara rule that detects Mocket virus." tc_detection_type = "Virus" diff --git a/yara/virus/Win32.Virus.Negt.yara b/yara/virus/Win32.Virus.Negt.yara index 49165f1..1f8985b 100644 --- a/yara/virus/Win32.Virus.Negt.yara +++ b/yara/virus/Win32.Virus.Negt.yara @@ -10,6 +10,7 @@ rule Win32_Virus_Negt : tc_detection malicious status = "RELEASED" sharing = "TLP:WHITE" category = "MALWARE" + malware = "NEGT" description = "Yara rule that detects Negt virus." tc_detection_type = "Virus"