Common Information
| Type | Value |
|---|---|
| Value |
rule BlackMatter {
meta:
author = "Andrey Zhdanov"
company = "Group-IB"
family = "ransomware.blackmatter.windows"
description = "BlackMatter ransomware Windows payload"
severity = 10
score = 100
strings:
$h0 = { 80 C6 61 80 EE 61 C1 CA 0D 03 D0 }
$h1 = { 02 F1 2A F1 B9 0D 00 00 00 D3 CA 03 D0 }
$h2 = { 3C 2B 75 04 B0 78 EB 0E 3C 2F 75 04 B0 69 EB 06 3C 3D 75 02 B0 7A }
$h3 = { 33 C0 40 40 8D 0C C5 01 00 00 00 83 7D 0? 00 75 04 F7 D8 EB 0? }
condition:
((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and ((1 of ($h*)))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |