rule Nokoyawa_Nemty {
	meta:
		author = "@Tera0017"
		description = "Nokoyawa, Nemty/Karma ransomware variant"
		Reference = "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/"
	strings:
		$code1 = { B8 ( 41 | 43 ) 00 00 00 [10-30] 83 F8 5A }
		$code2 = { 48 8B 4C 24 08 F0 0F C1 01 03 44 24 10 }
		$code3 = { 83 E8 20 88 [7] 48 C1 E0 05 48 03 44 24 }
		$code4 = { 48 C7 44 24 ?? 05 15 00 00 }
		$string1 = "RGVhciB1c2VybmFtbWUsIHlvdXIgZmlsZXMgd2VyZSBlbmNyeXB0ZWQsIHNvbWUgY"
		$string2 = "-network" wide fullword
		$string3 = "-help" wide fullword
		$winapi1 = "PostQueuedCompletionStatus" ascii fullword
		$winapi2 = "GetSystemInfo" ascii fullword
		$winapi3 = "WNetEnumResourceW" ascii fullword
		$winapi4 = "GetCommandLineW" ascii fullword
		$winapi5 = "BCryptGenRandom" ascii fullword
	condition:
		all of ($winapi*) and 4 of ($code*, $string*)
}