{"group":"babuk","count":1,"rules":[{"rule_name":"Babuk.yar","rule_text":"/*\nBabuk ransomware\n*/\n\n\nrule Babuk_ESXi\n{\n meta:\n author = \"rivitna\"\n family = \"ransomware.babuk.esxi\"\n description = \"Babuk ESXi\"\n severity = 10\n score = 100\n\n strings:\n $h0 = \"/dev/urandom\\x00\" ascii\n $h1 = \"EiB\\x00PiB\\x00TiB\\x00GiB\\x00MiB\\x00KiB\\x00B\\x00\" ascii\n $h2 = \"crypting: %s\\n\\x00\" ascii\n\n $c0 = { 67 E6 09 6A [2-8] 85 AE 67 BB [2-8] 72 F3 6E 3C [2-8]\n 3A F5 4F A5 [2-8] 7F 52 0E 51 [2-8] 8C 68 05 9B }\n $c1 = { 98 2F 8A 42 91 44 37 71 CF FB C0 B5 A5 DB B5 E9\n 5B C2 56 39 F1 11 F1 59 A4 82 3F 92 D5 5E 1C AB }\n $c2 = { 79 37 9E 89 [4-16] C1 C? ( 15 | 0B ) [16-40] 79 37 9E 89 }\n\n condition:\n (uint32(0) == 0x464C457F) and (filesize < 120000) and\n (\n (all of ($c*)) and (1 of ($h*))\n )\n}\n\nrule Ransom_Babuk {\n meta:\n description = \"Rule to detect Babuk Locker\"\n author = \"TS @ McAfee ATR\"\n date = \"2021-01-19\"\n hash = \"e10713a4a5f635767dcd54d609bed977\"\n rule_version = \"v2\"\n malware_family = \"Ransom:Win/Babuk\"\n malware_type = \"Ransom\"\n mitre_attack = \"T1027, T1083, T1057, T1082, T1129, T1490, T1543.003\"\n\n strings:\n $s1 = {005C0048006F007700200054006F00200052006500730074006F0072006500200059006F00750072002000460069006C00650073002E007400780074}\n // \\ How To Restore Your Files .txt\n $s2 = \"delete shadows /all /quiet\" fullword wide\n\n $pattern1 = {006D656D74617300006D65706F63730000736F70686F730000766565616D0000006261636B7570000047785673730000004778426C7200000047784657440000004778435644000000477843494D67720044656657617463680000000063634576744D67720000000063635365744D677200000000536176526F616D005254567363616E0051424643536572766963650051424944505365727669636500000000496E747569742E517569636B426F6F6B732E46435300}\n $pattern2 = {004163725363683253766300004163726F6E69734167656E74000000004341534144324457656253766300000043414152435570646174655376630000730071}\n $pattern3 = {FFB0154000C78584FDFFFFB8154000C78588FDFFFFC0154000C7858CFDFFFFC8154000C78590FDFFFFD0154000C78594FDFFFFD8154000C78598FDFFFFE0154000C7859CFDFFFFE8154000C785A0FDFFFFF0154000C785A4FDFFFFF8154000C785A8FDFFFF00164000C785ACFDFFFF08164000C785B0FDFFFF10164000C785B4FDFFFF18164000C785B8FDFFFF20164000C785BCFDFFFF28164000C785C0FDFFFF30164000C785C4FDFFFF38164000C785C8FDFFFF40164000C785CCFDFFFF48164000C785D0FDFFFF50164000C785D4FDFFFF581640}\n $pattern4 = {400010104000181040002010400028104000301040003810400040104000481040005010400058104000601040006C10400078104000841040008C10400094104000A0104000B0104000C8104000DC104000E8104000F01040000011400008114000181140002411400038114000501140005C11400064114000741140008C114000A8114000C0114000E0114000F4114000101240002812400034124000441240005412400064124000741240008C124000A0124000B8124000D4124000EC1240000C1340002813400054134000741340008C134000A4134000C4134000E8134000FC134000141440003C144000501440006C144000881440009C144000B4144000CC144000E8144000FC144000141540003415400048154000601540007815}\n \n condition:\n filesize >= 15KB and filesize <= 90KB and \n 1 of ($s*) and 3 of ($pattern*) \n}\n\nrule BabukRansomwareV3 {\n\tmeta:\n\t\tdescription = \"YARA rule for Babuk Ransomware v3\"\n\t\treference = \"http://chuongdong.com/reverse engineering/2021/01/16/BabukRansomware-v3/\"\n\t\tauthor = \"@cPeterr\"\n\t\tdate = \"2021-01-16\"\n\t\trule_version = \"v3\"\n\t\tmalware_type = \"ransomware\"\n\t\ttlp = \"white\"\n\tstrings:\n\t\t$lanstr1 = \"-lanfirst\"\n\t\t$lanstr2 = \"-nolan\"\n\t\t$lanstr3 = \"shares\"\n\t\t$str1 = \"BABUK LOCKER\"\n\t\t$str2 = \"babukq4e2p4wu4iq.onion\"\n\t\t$str3 = \"How To Restore Your Files.txt\" wide\n\t\t$str4 = \"babuk_v3\"\n\t\t$str5 = \".babyk\" wide\n\tcondition:\n\t\tall of ($str*) and all of ($lanstr*)\n}","sha256":"f14458af4ecd2fd5adc6fd85f47bc74eaed5301a0d77dd26a46e2188adb63f1e","byte_size":3749,"updated_at":"2026-06-24 05:15:59"}]}