{"group":"chaos","count":1,"rules":[{"rule_name":"sekoia.yar","rule_text":"rule ransomware_win_chaos {\n    meta:\n        id = \"c1876a18-0618-44e2-8919-b4a041de97e7\"\n        description = \"Detects the Chaos Ransomware\"\n        author = \"Sekoia.io\"\n        version = \"1.0\"\n        creation_date = \"2022-01-18\"\n        classification = \"TLP:CLEAR\"\n        \n    strings:\n        $rep00 = \"\\\\Desktop\" wide\n        $rep01 = \"\\\\Links\" wide\n        $rep02 = \"\\\\Contacts\" wide\n        $rep03 = \"\\\\Documents\" wide\n        $rep04 = \"\\\\Downloads\" wide\n        $rep05 = \"\\\\Pictures\" wide\n        $rep06 = \"\\\\Music\" wide\n        $rep07 = \"\\\\OneDrive\" wide\n        $rep08 = \"\\\\Saved Games\" wide\n        $rep09 = \"\\\\Favorites\" wide\n        $rep10 = \"\\\\Searches\" wide\n        $rep11 = \"\\\\Videos\" wide\n        $rep12 = \"C:\\\\Users\\\\\" wide\n        \n        $str0 = \"svchost.exe\" wide\n        $str1 = \"\\\\privateKey.chaos\" wide\n        $str2 = \"Chaos Ransomware\" wide\n        $str3 = \"read_it.txt\" wide\n        $str4 = \"<EncryptedKey>\" wide\n        $str5 = \"passwordBytes\" ascii\n        $str6 = \"lookForDirectories\" ascii\n        $str7 = \"Rfc2898DeriveBytes\" ascii\n        $str8 = \"ICryptoTransform\" ascii\n        $str9 = \"FromBase64String\" ascii\n        \n        $ext0 = \".torrent\" wide\n        $ext1 = \".ibank\" wide\n        $ext2 = \".wallet\" wide\n        $ext3 = \".swift\" wide\n        $ext4 = \".onetoc2\" wide\n        \n    condition:\n        uint16(0) == 0x5a4d and\n    filesize > 50KB and filesize < 2MB and\n        6 of ($str*) and 10 of ($rep*) and 4 of ($ext*)\n}","sha256":"dcc5ca9dc4f92baec955a48b11fa67f197c9f69c7d50c84193066859a5879124","byte_size":1470,"updated_at":"2026-06-24 05:16:00"}]}