Show in Graph
Common Information
Type Value
Value 
rule CISA_10375867_01 : wiper HERMETICWIPER {
	meta:
		Author = "CISA Code & Media Analysis"
		Incident = "10375867"
		Date = "2022-04-05"
		Last_Modified = "20220406_1500"
		Actor = "n/a"
		Category = "Wiper"
		Family = "n/a"
		Description = "Detects Hermetic Wiper samples"
		MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
		SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
		MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
		SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
		MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
		SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
		MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
		SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
		MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
		SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
	strings:
		$rsrc1 = { 53 5A 44 44 }
		$rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
		$rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
		$rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
		$rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
		$rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
		$s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
		$s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
		$s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
		$s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
		$s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
		$s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
		$s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
		$s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
	condition:
		uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2022-04-28 30 MAR-10375867-1.v1 – HermeticWiper | CISA
Details Website 2022-04-25 29 MAR-10375867-1.v1 – HermeticWiper | CISA