nuclei-templates/file/malware/cryptxxx-malware.yaml

43 lines
1.6 KiB
YAML

id: cryptxxx-malware
info:
name: CryptXXX Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "525947404A41595D52000000FFFFFFFF"
- "0600000052594740405A0000FFFFFFFF"
- "0A000000525C4B4D574D424B5C520000"
- "FFFFFFFF0A000000525D575D5A4B4370"
- "3F520000FFFFFFFF06000000524C4141"
- "5A520000FFFFFFFF0A000000525C4B4D"
- "41584B5C57520000FFFFFFFF0E000000"
- "522A5C4B4D574D424B204C4740520000"
- "FFFFFFFF0A000000525E4B5C48424149"
- "5D520000FFFFFFFF05000000524B4847"
- "52000000FFFFFFFF0C000000524D4140"
- "48474920435D475200000000FFFFFFFF"
- "0A000000525E5C41495C4F703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3C520000FFFFFFFF0800000052494141"
- "49424B5200000000FFFFFFFF06000000"
- "525A4B435E520000FFFFFFFF08000000"
- "52483A4C4D703F5200000000FFFFFFFF"
- "0A000000524F42425B5D4B703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3F520000FFFFFFFF0A000000525E5C41"
- "495C4F703C520000FFFFFFFF09000000"
- "524F5E5E4A4F5A4F52000000FFFFFFFF"
- "0A000000525E5C41495C4F703D520000"
- "FFFFFFFF08000000525E5B4C42474D52"
condition: and
# digest: 490a0046304402200be06227894be466ece6600d08b5c21ffe0a1c04d8297f5fd684fc66fa64f0d202203f57a1271be83715b3953f3fcc4fd08dd1d2db57240cfd5fc9a9611008574bf9:922c64590222798bb761d5b6d8e72950