{"group":"beast","count":1,"rules":[{"rule_name":"Beast.yar","rule_text":"/*\nBeast ransomware\n*/\n\n\nrule Beast\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.beast\"\n        description = \"Beast ransomware Windows payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        $h0 = { 6A 00 56 68 ?? ?? 00 00 57 6A 19 68 AA 00 00 00 6A ??\n                6A 0A 68 00 10 00 50 50 }\n        $h1 = { 6A 00 56 68 ?? ?? 00 00 57 6A 19 68 AA 00 00 00\n                68 ?? 00 00 00 6A 0A 68 00 10 00 50 50 }\n        $h2 = { 81 BC 24 ?? 00 00 00 50 4B 06 06 75 6?\n                81 BC 24 ?? 00 00 00 50 4B 06 07 75 5?\n                81 BC 24 ?? 00 00 00 50 4B 05 06 75 }\n        $h3 = { C7 44 24 ?? 17 10 14 06 }\n        $h4 = { 40 04 19 08 C7 45 ?? 19 04 23 04 C7 45 ?? 3F 04 40 04\n                C7 45 ?? 28 04 42 04 C7 45 ?? 43 08 22 04 }\n\n    condition:\n        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\n        (\n            (3 of ($h*))\n        )\n}","sha256":"971e68e63cd23fd5c45395953923c08f5702ebcc94611fa8c2de3a160fc17690","byte_size":932,"updated_at":"2026-06-24 05:15:59"}]}