Add rule

cado-security · Jul 6, 2021 · cdcad30 · cdcad30
1 parent a6c9767
commit cdcad30
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/IOCs/Yara.rules b/IOCs/Yara.rules
@@ -1,4 +1,19 @@
 
+
+
+rule Ransomware_Revil_Kaseya {
+   meta:
+      description = "Detects primary malicious REvil Binary, drops legit msmpeng.exe and malicious side-loaded dll mpsvc.dll"
+      author = "cdoman@cadosecurity.com"
+      date = "2021-07-06"
+      hash = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
+      license = "Apache License 2.0"
+    strings:
+        $a = { 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 00 00 53 00 4F 00 46 00 54 00 49 00 53 00 00 00 00 00 4D 00 4F 00 44 00 4C 00 49 00 53 00 00 00 00 00 6D 00 70 00 73 00 76 00 63 00 2E 00 64 00 6C 00 6C 00 00 00 4D 00 73 00 4D 00 70 00 45 00 6E 00 67 00 2E 00 65 00 78 00 65 00 00 00 }
+    condition:
+        uint16(0) == 0x5a4d and all of them
+}
+
 /* Via https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/REvil_Cert.yar
 */