nuclei-templates/file/malware/cryptxxx-malware.yaml

42 lines
1.5 KiB
YAML

id: cryptxxx-malware
info:
name: CryptXXX Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "525947404A41595D52000000FFFFFFFF"
- "0600000052594740405A0000FFFFFFFF"
- "0A000000525C4B4D574D424B5C520000"
- "FFFFFFFF0A000000525D575D5A4B4370"
- "3F520000FFFFFFFF06000000524C4141"
- "5A520000FFFFFFFF0A000000525C4B4D"
- "41584B5C57520000FFFFFFFF0E000000"
- "522A5C4B4D574D424B204C4740520000"
- "FFFFFFFF0A000000525E4B5C48424149"
- "5D520000FFFFFFFF05000000524B4847"
- "52000000FFFFFFFF0C000000524D4140"
- "48474920435D475200000000FFFFFFFF"
- "0A000000525E5C41495C4F703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3C520000FFFFFFFF0800000052494141"
- "49424B5200000000FFFFFFFF06000000"
- "525A4B435E520000FFFFFFFF08000000"
- "52483A4C4D703F5200000000FFFFFFFF"
- "0A000000524F42425B5D4B703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3F520000FFFFFFFF0A000000525E5C41"
- "495C4F703C520000FFFFFFFF09000000"
- "524F5E5E4A4F5A4F52000000FFFFFFFF"
- "0A000000525E5C41495C4F703D520000"
- "FFFFFFFF08000000525E5B4C42474D52"
condition: and