Yara Rules for Ransomware group  snatch

import "pe"

rule snatch_ransomware_x3_loader {
	meta:
		description = "snatch-ransomware - file x3.exe"
		author = "DFIR Report"
		reference = "https://thedfirreport.com/"
		date = "2020-06-17"
		hash1 = "b9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1"
	strings:
		$s1 = "jd4ob7162ns.dll" wide fullword
		$s2 = "kb05987631s.dll" wide fullword
		$s3 = "fw0a53482aa.dll" wide fullword
		$s4 = "C:\\Builds\\TP\\rtl\\common\\TypInfo.pas" wide fullword
		$s5 = "C:\\Builds\\TP\\rtl\\sys\\SysUtils.pas" wide fullword
		$s6 = "C:\\Builds\\TP\\rtl\\common\\Classes.pas" wide fullword
		$s7 = "/K schtasks /Create /RU SYSTEM /SC DAILY /ST 00:00 /TN \"Regular Idle Maintenance\" /TR \"" wide fullword
		$s8 = "/K schtasks /Create /RU SYSTEM /SC ONSTART /TN \"Regular Idle Maintenances\" /TR \"" wide fullword
		$s9 = "RootP0C" ascii fullword
		$s10 = "Component already destroyed: " wide fullword
		$s11 = "Stream write error The specified file was not found2Length of Strings and Objects arrays must be equal#''%s'' is not a valid int" wide
		$s12 = "PPackageTypeInfo$\"@" ascii fullword
		$s13 = "PositionP0C" ascii fullword
		$s14 = "DesignInfoP0C" ascii fullword
		$s15 = "OwnerP0C" ascii fullword
		$s16 = "3\"4\\4~4" ascii fullword
		$s17 = "TComponentClassP0C" ascii fullword
		$s18 = ":$:2:6:L:\\:l:t:x:|:" ascii fullword
		$s19 = ":P:T:X:\\:t:" ascii fullword
		$s20 = ":,:<:@:L:T:X:\\:`:d:h:l:p:t:x:|:" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 900KB and (pe.imphash() == "d6136298ea7484a715d40720221233be" or 8 of them)
}


rule snatch_ransomware_safe_go_ransomware {
	meta:
		description = "snatch-ransomware - file safe.exe"
		author = "DFIR Report"
		reference = "https://thedfirreport.com/"
		date = "2020-06-17"
		hash1 = "3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6"
	strings:
		$s1 = "dumpcb" ascii fullword
		$s2 = "dfmaftpgc" ascii fullword
		$s3 = "ngtrunw" ascii fullword
		$s4 = "_dumpV" ascii fullword
		$s5 = ".dll3u^" ascii fullword
		$s6 = "D0s[Host#\"0" ascii fullword
		$s7 = "CPUIRC32D,OPg" ascii fullword
		$s8 = "WSAGetOv" ascii fullword
		$s9 = "Head9iuA" ascii fullword
		$s10 = "SpyL]ZIo" ascii fullword
		$s11 = "cmpbody" ascii fullword
		$s12 = "necwnamep" ascii fullword
		$s13 = "ZonK+ pW" ascii fullword
		$s14 = "printabl" ascii fullword
		$s15 = "atomicn" ascii fullword
		$s16 = "powrprof" ascii fullword
		$s17 = "recdvoc" ascii fullword
		$s18 = "nopqrsx" ascii fullword
		$s19 = "ghijklm" ascii fullword
		$s20 = "spdelta" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 8000KB and (pe.imphash() == "6ed4f5f04d62b18d96b26d6db7c18840" or 8 of them)
}

© 2024 Ransomware.live. All rights reserved.  |    Contact us  |    BlueSky  |    GitHub  |    LinkedIn

  Support Ransomare.live

Last Dataset update : 2024-12-04 19:11:20 UTC