id: zrypt-malware

info:
  name: Zcrypt Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara
  tags: malware,file,zrypt
file:
  - extensions:
      - all

    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "How to Buy Bitcoins"
          - "ALL YOUR PERSONAL FILES ARE ENCRYPTED"
          - "Click Here to Show Bitcoin Address"
          - "MyEncrypter2.pdb"
        condition: or

      - type: word
        part: raw
        words:
          - ".p7b"
          - ".p7c"
          - ".pdd"
          - ".pef"
          - ".pem"
          - "How to decrypt files.html"
        condition: and

# digest: 490a004630440220505b7b0359dfc00b9f7d9f9a654fa51b862140381c8785ca1f1d04cd4ba7f1f00220194afc36d15fcaef2fc487ce83de91edf5ff902675b4c0f06f016c8c7574e74c:922c64590222798bb761d5b6d8e72950