YARAhub

You are currently viewing the YARAhub entry of the YARA rule MALWARE_Storm0978_Underground_Ransomware_Jul23. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.

YARA Rule Details: MALWARE_Storm0978_Underground_Ransomware_Jul23

YARA Rule Content Copy Download

The content of the YARA rule is shown below.

rule MALWARE_Storm0978_Underground_Ransomware_Jul23
{
    meta:
        author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
        description = "Hunting rule for samples of 'Underground Ransomware', linked to IndustrialSpy and Storm-0978"
        reference = "https://twitter.com/RakeshKrish12/status/1678296344061157377"
        date = "2023-07-12"
        tlp = "CLEAR"
        hash = "d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666"
        yarahub_uuid = "4ed613b6-9ed6-424c-a3b1-79855eebc0fa"
        yarahub_reference_md5 = "059175be5681a633190cd9631e2975f6"
        yarahub_license = "CC BY 4.0"
        yarahub_rule_matching_tlp = "TLP:WHITE"
        yarahub_rule_sharing_tlp = "TLP:WHITE"
        yarahub_author_twitter = "@SI_FalconTeam"

    strings:
        $s_1 = "temp.cmd" wide
        $s_2 = "%s\\!!readme!!!.txt" wide
        $s_3 = "VIPinfo.txt" wide
        $s_4 = "The Underground team welcomes you!" ascii
        $s_5 = "http://undgrddapc4reaunnrdrmnagvdelqfvmgycuvilgwb5uxm25sxawaoqd.onion"
        $s_6 = "File unlocking error" wide

    condition:
        uint16(0) == 0x5a4d
        and 4 of ($s_*)
}
  

YARA Rule Matches

The following table shows the most recent files matching this particular YARA rule.