Yara Rules for Ransomware group qilin
/*
Qilin ransomware
*/
import "pe"
rule Qilin_Loader
{
meta:
author = "rivitna"
family = "ransomware.qilin.windows"
description = "Qilin ransomware Windows loader"
severity = 10
score = 100
strings:
$h0 = { 85 C0 75 12 E8 [4] 85 C0 0F 84 ?? 0? 00 00 A3 [4]
68 00 ?? ( 2? | 3? | 4? ) 00 6A 00 50 E8 [4] 85 C0
0F 84 ?? 0? 00 00 31 D2 BF 00 [2] FF ( BB | 8D ) [0-8]
( 89 44 24 ?? C7 44 24 ?? ?0 ?? ?? 00
C7 44 24 ?? 00 00 00 00 |
( 89 45 ?? C7 45 ?? ?0 ?? ?? 00 |
C7 45 ?? ?0 ?? ?? 00 89 45 ?? )
C7 45 ?? 00 00 00 00 )
EB }
condition:
((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
for any i in (0..pe.number_of_sections-1):
(
(pe.sections[i].raw_data_size >= 0x2A0000) and
(pe.sections[i].raw_data_size <= 0x500000) and
(pe.sections[i].name == ".rdata")
) and
(1 of ($h*))
}
rule QilinRansomwareESXi {
meta:
description = "rule to detect Qilin Ransomware"
author = "ShadowStackRe.com"
date = "2023-12-06"
Rule_Version = "v1"
malware_type = "ransomware"
malware_family = "Qilin"
License = "MIT License, https://opensource.org/license/mit/"
strings:
$strMotd = "/etc/motd"
$strEncryptQuestion = "Are you sure to start encryption"
$strConfigStart = "--- Configuration start ---"
$strEsxiUsage = "esxcli"
$strEncryptRenameFail = "Failed to rename encrypted file to"
$strStartJob = "Started job..."
$strBug = "\x1B[%uG 100%%"
condition:
all of them
}