{"group":"bluelocker","count":1,"rules":[{"rule_name":"BlueLocker.yar","rule_text":"/*\nBlueLocker (MemeCryptor) ransomware\n*/\n\n\nrule BlueLocker\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.bluelocker\"\n        description = \"BlueLocker ransomware Windows payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        // String decryption\n        $h0 = { 0F 8F ?? 01 00 00 3D 00 00 A0 00 0F 82 ?? 01 00 00\n                85 C? 0F 8F ?? 01 00 00 7C 0B 3D 00 00 ( 20 03 | 40 06)\n                0F 83 ?? 01 00 00 }\n\n        $s0 = \"wbizecif48njqgpprzkm6769\" ascii wide\n        $s1 = \"\\x00Bule Cryptor\\x00\" ascii wide\n        $s2 = \"\\x00.blue\\x00\" ascii wide\n        $s3 = \"\\x00restore_file.txt\\x00\" ascii wide\n        $s4 = \"wmic SHADOWCOPY DELETE\" ascii wide fullword\n        $s5 = \" LOCKER****\" ascii\n        $s6 = \"[ Hello! ]\" ascii\n        $s7 = \"!!! DANGER !!!\" ascii\n\n    condition:\n        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\n        (\n            (1 of ($h*)) or (4 of ($s*))\n        )\n}","sha256":"1047d4e3e8d322b38b03d63b0e1d5323e5c8595bde6b1d77d6c98920d9187bd2","byte_size":974,"updated_at":"2026-06-24 05:16:00"}]}