id: cryptxxx-malware

info:
  name: CryptXXX Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
  tags: malware,file
file:
  - extensions:
      - all
    matchers:
      - type: binary
        binary:
          - "525947404A41595D52000000FFFFFFFF"
          - "0600000052594740405A0000FFFFFFFF"
          - "0A000000525C4B4D574D424B5C520000"
          - "FFFFFFFF0A000000525D575D5A4B4370"
          - "3F520000FFFFFFFF06000000524C4141"
          - "5A520000FFFFFFFF0A000000525C4B4D"
          - "41584B5C57520000FFFFFFFF0E000000"
          - "522A5C4B4D574D424B204C4740520000"
          - "FFFFFFFF0A000000525E4B5C48424149"
          - "5D520000FFFFFFFF05000000524B4847"
          - "52000000FFFFFFFF0C000000524D4140"
          - "48474920435D475200000000FFFFFFFF"
          - "0A000000525E5C41495C4F703F520000"
          - "FFFFFFFF0A000000525E5C41495C4F70"
          - "3C520000FFFFFFFF0800000052494141"
          - "49424B5200000000FFFFFFFF06000000"
          - "525A4B435E520000FFFFFFFF08000000"
          - "52483A4C4D703F5200000000FFFFFFFF"
          - "0A000000524F42425B5D4B703F520000"
          - "FFFFFFFF0A000000525E5C41495C4F70"
          - "3F520000FFFFFFFF0A000000525E5C41"
          - "495C4F703C520000FFFFFFFF09000000"
          - "524F5E5E4A4F5A4F52000000FFFFFFFF"
          - "0A000000525E5C41495C4F703D520000"
          - "FFFFFFFF08000000525E5B4C42474D52"
        condition: and

# digest: 490a0046304402200be06227894be466ece6600d08b5c21ffe0a1c04d8297f5fd684fc66fa64f0d202203f57a1271be83715b3953f3fcc4fd08dd1d2db57240cfd5fc9a9611008574bf9:922c64590222798bb761d5b6d8e72950