id: locky-malware

info:
  name: Locky Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
  tags: malware,file
file:
  - extensions:
      - all

    matchers-condition: or
    matchers:
      - type: binary
        binary:
          - "45b899f7f90faf45b88945b8"
          - "2b0a0faf4df8894df8c745"
        condition: and

      - type: binary
        binary:
          - "2E006C006F0063006B00790000"
          - "005F004C006F0063006B007900"
          - "5F007200650063006F00760065"
          - "0072005F0069006E0073007400"
          - "720075006300740069006F006E"
          - "0073002E0074007800740000"
          - "536F6674776172655C4C6F636B7900"
        condition: and

# digest: 4a0a0047304502207bf92252439de1c81b481ccc04452a42adaef5b2709cf230dfa77e1bbb0ee747022100918bbd08a177c897bd1a6e5174517e50bd150780bd831df32d7f5683d6ecbabe:922c64590222798bb761d5b6d8e72950