Yara Rules for Ransomware group  qilin

/*
Qilin ransomware
*/

import "pe"


rule Qilin_Loader
{
    meta:
        author = "rivitna"
        family = "ransomware.qilin.windows"
        description = "Qilin ransomware Windows loader"
        severity = 10
        score = 100

    strings:
        $h0 = { 85 C0 75 12 E8 [4] 85 C0 0F 84 ?? 0? 00 00 A3 [4]
                68 00 ?? ( 2? | 3? | 4? ) 00 6A 00 50 E8 [4] 85 C0
                0F 84 ?? 0? 00 00 31 D2 BF 00 [2] FF ( BB | 8D ) [0-8]
                ( 89 44 24 ?? C7 44 24 ?? ?0 ?? ?? 00
                  C7 44 24 ?? 00 00 00 00 |
                  ( 89 45 ?? C7 45 ?? ?0 ?? ?? 00 |
                    C7 45 ?? ?0 ?? ?? 00 89 45 ?? )
                  C7 45 ?? 00 00 00 00 )
                EB }

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        for any i in (0..pe.number_of_sections-1):
        (
            (pe.sections[i].raw_data_size >= 0x2A0000) and
            (pe.sections[i].raw_data_size <= 0x500000) and
            (pe.sections[i].name == ".rdata")
        ) and
        (1 of ($h*))
}

rule QilinRansomwareESXi {
	meta:
		description = "rule to detect Qilin Ransomware"
		author = "ShadowStackRe.com"
		date = "2023-12-06"
		Rule_Version = "v1"
		malware_type = "ransomware"
		malware_family = "Qilin"
		License = "MIT License, https://opensource.org/license/mit/"
	strings:
		$strMotd = "/etc/motd"
		$strEncryptQuestion = "Are you sure to start encryption"
		$strConfigStart = "--- Configuration start ---"
		$strEsxiUsage = "esxcli"
		$strEncryptRenameFail = "Failed to rename encrypted file to"
		$strStartJob = "Started job..."
		$strBug = "\x1B[%uG 100%%"
	condition:
		all of them
}