Added Win32Toxic: tox ransomware

Added Win32Toxic: tox ransomware

Added Win32Toxic: tox ransomware
e469d444 · Yara Rules · 6bbae96e · e469d444
Commit e469d444 authored Jun 01, 2015 by Yara Rules
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

Ramsonware.yar malware/Ramsonware.yar +22 -0

No files found.
--- a/malware/Ramsonware.yar
+++ b/malware/Ramsonware.yar
@@ -97,3 +97,25 @@ $string3 = "klospad.pdb"
 condition:
 3 of them 
 }
+rule Win32Toxic: tox ransomware{
+meta:
+	author = "@GelosSnake"
+	date = "2015-06-01"
+	description = "https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us"
+	hash0 = "048c007de4902b6f4731fde45fa8e6a9"
+	hash1 = "3133c2231fcee5d6b0b4c988a5201da1"
+	hash2 = "a7f91301712b5a3cc8c3ab9c119530ce"
+	hash3 = "91da679f417040558059ccd5b1063688"
+	hash4 = "52c9d25179bf010a4bb20d5b5b4e0615"
+	sample_filetype = "exe"
+strings:
+	$string0 = "GSSAPI"
+	$string1 = "/MATCH:"
+	$string2 = "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
+	$string3 = "t;<<t;<<t<<<t<<"
+	$string4 = ">>><<<"
+	$string5 = "uB<Kux"
+condition:
+	5 of them
+}