Yara Rules for Ransomware group  dharma

/*
Dharma ransomware
*/


rule Dharma
{
    meta:
        author = "rivitna"
        family = "ransomware.dharma"
        description = "Dharma ransomware Windows"
        severity = 10
        score = 100

    strings:
        $h0 = { C7 4? 08 FD 03 AA 78 [0-8] C7 4? 0C 03 00 00 00 [0-8]
                C7 4? 10 00 00 04 00 [0-8] C7 4? 18 38 00 0C 00 }
        $h1 = { C7 4? 04 02 00 00 00 [0-8] C7 4? 08 0C FE 7A 41 }

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            (1 of ($h*))
        )
}