rule Hive_ESXi_v3 {
	meta:
		author = "Andrey Zhdanov"
		company = "Group-IB"
		family = "ransomware.hive.esxi"
		description = "Hive v3 ransomware ESXI payload"
		severity = 10
		score = 100
	strings:
		$h0 = { 48 69 ?? B5 B4 1B 01 48 C1 E? 20 69 ?? 00 70 0E 00 29 ?? }
		$h1 = { 48 69 ?? 25 30 40 00 48 C1 E? 20 69 ?? 00 F4 0F 00 29 ?? }
		$a0 = "\\.(vm|vs)\\w+$\x00"
		$a1 = "vim-cmd vmsvc/getallvms | grep -o -E '^[0-9]+' | xargs -r -n 1 vim-cmd vmsvc/power.off"
		$b0 = "\x00%s.key.%s\x00"
		$b1 = "\x00! export %s"
		$b2 = "\x00+ export %s"
		$b3 = "HOW_TO_DECRYPT.txt\x00"
		$b4 = "\x00+notify /etc/motd\x00"
		$b5 = "\x00+notify %s"
		$b6 = "\x00+ prenotify %s"
		$b7 = "\x00Stopping VMs\x00"
	condition:
		(uint32(0) == 0x464C457F) and ((2 of ($h*)) or ((1 of ($a*)) and (2 of ($b*))))
}