Clop payload sig

ctxis · Dec 29, 2019 · b604f59 · b604f59
1 parent e9f7e04
commit b604f59
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/data/yara/CAPE/Clop.yar b/data/yara/CAPE/Clop.yar
@@ -0,0 +1,11 @@
+rule Clop
+{
+    meta:
+        author = "kevoreilly"
+        cape_type = "Clop Payload"
+    strings:
+        $string1 = "%s%s.Cl0p" wide
+        $string2 = "%s\\Cl0pReadMe.txt" wide
+    condition:
+        uint16(0) == 0x5A4D and all of them
+}