From 8bb17927e76a239a8e479a6d25e37aa6b31915ea Mon Sep 17 00:00:00 2001
From: deathrobotpunch <87455177+deathrobotpunch@users.noreply.github.com>
Date: Wed, 4 Dec 2024 21:02:29 +0800
Subject: [PATCH 1/2] Create MSAN_Locker.yar

---
 malware/MSAN_Locker.yar | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 malware/MSAN_Locker.yar

diff --git a/malware/MSAN_Locker.yar b/malware/MSAN_Locker.yar
new file mode 100644
index 00000000..79a12f90
--- /dev/null
+++ b/malware/MSAN_Locker.yar
@@ -0,0 +1,16 @@
+rule MSAN_locker
+{
+    meta:
+        author = "Deathrobotpunch1"
+        description = "MSAN Locker YARA rule"
+	sha256_1 = cd87a63ad8a77a82f135401033e862de308286458273615a17c3013da65ad79a
+	sha256_2 = 33cadf8ff779d9d48135c5d9ea7b9b79ad59411c246df3f4421cc895548d07c4
+	sha256_3 = 78e72c3f93e794d0eb8a7685e536cc2d1045cfb5c3d9cb40de1c07e076ffb6a3
+
+    strings:
+        $hex_strings1 = {48 56 57 41 54 41 55 41 56 41 57 49}
+        $hex_strings2 = {41 32 84 24 4c 20 40 00}
+        $hex_strings3 = {4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 67 01 45 78 69 74 50 72 6F 63 65 73 73 00 42 02 47 65 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 56 61 72 69 61 62 6C 65 41 00 4C 06 6C 73 74 72 63 70 79}
+    condition:
+        any of them
+}

From 0cea72232c65e78181775d44d301641fd690956e Mon Sep 17 00:00:00 2001
From: deathrobotpunch <87455177+deathrobotpunch@users.noreply.github.com>
Date: Wed, 4 Dec 2024 21:13:42 +0800
Subject: [PATCH 2/2] Update MSAN_Locker.yar

---
 malware/MSAN_Locker.yar | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/malware/MSAN_Locker.yar b/malware/MSAN_Locker.yar
index 79a12f90..1b72029a 100644
--- a/malware/MSAN_Locker.yar
+++ b/malware/MSAN_Locker.yar
@@ -3,9 +3,9 @@ rule MSAN_locker
     meta:
         author = "Deathrobotpunch1"
         description = "MSAN Locker YARA rule"
-	sha256_1 = cd87a63ad8a77a82f135401033e862de308286458273615a17c3013da65ad79a
-	sha256_2 = 33cadf8ff779d9d48135c5d9ea7b9b79ad59411c246df3f4421cc895548d07c4
-	sha256_3 = 78e72c3f93e794d0eb8a7685e536cc2d1045cfb5c3d9cb40de1c07e076ffb6a3
+	hash1 = cd87a63ad8a77a82f135401033e862de308286458273615a17c3013da65ad79a
+	hash2 = 33cadf8ff779d9d48135c5d9ea7b9b79ad59411c246df3f4421cc895548d07c4
+	hash3 = 78e72c3f93e794d0eb8a7685e536cc2d1045cfb5c3d9cb40de1c07e076ffb6a3
 
     strings:
         $hex_strings1 = {48 56 57 41 54 41 55 41 56 41 57 49}