Created
November 22, 2021 18:16
-
-
Save herrcore/94fc677238db8b402d100e8003605773 to your computer and use it in GitHub Desktop.
Yara rule generated with Binlex from our live stream https://youtu.be/hgz5gZB3DxE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule malware_karama_0 { | |
| meta: | |
| descrption = "Karma Ransomware" | |
| strings: | |
| $name = "KARMA" ascii wide nocase | |
| $trait_0 = {33 f6 0f b7 41 ?? 83 c1 02 8b d0 66 85 c0 75 da} | |
| $trait_1 = {0f b7 d0 66 83 fa 5c 74 10} | |
| condition: | |
| uint16(0) == 0x5a4d and | |
| uint32(uint32(0x3c)) == 0x00004550 and | |
| filesize < 146KB and | |
| $name and | |
| 1 of ($trait_*) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://gist.github.com/herrcore/94fc677238db8b402d100e8003605773#file-karama-yara-L3
descrptiondescriptionkaramakarma