Merge pull request Yara-Rules#360 from bartblaze/master

Create RANSOM_Maze.yar
k0ko380 · Jan 7, 2020 · 4c9e3bc · 4c9e3bc
2 parents 6a600e7 + 4e88977
commit 4c9e3bc
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/malware/RANSOM_Maze.yar b/malware/RANSOM_Maze.yar
@@ -0,0 +1,29 @@
+rule Maze
+{
+meta:
+	description = "Identifies Maze ransomware in memory or unpacked."
+	author = "@bartblaze"
+	date = "2019-11"
+	tlp = "White"
+
+strings:	
+	$ = "Enc: %s" ascii wide
+	$ = "Encrypting whole system" ascii wide
+	$ = "Encrypting specified folder in --path parameter..." ascii wide
+	$ = "!Finished in %d ms!" ascii wide
+	$ = "--logging" ascii wide
+	$ = "--nomutex" ascii wide
+	$ = "--noshares" ascii wide
+	$ = "--path" ascii wide
+	$ = "Logging enabled | Maze" ascii wide
+	$ = "NO SHARES | " ascii wide
+	$ = "NO MUTEX | " ascii wide
+	$ = "Encrypting:" ascii wide
+	$ = "You need to buy decryptor in order to restore the files." ascii wide
+	$ = "Dear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms" ascii wide
+	$ = "%s! Alert! %s! Alert! Dear %s Your files have been encrypted by %s! Attention! %s" ascii wide
+	$ = "DECRYPT-FILES.txt" ascii wide fullword
+
+condition:
+	5 of them
+}