{"group":"hive","count":1,"rules":[{"rule_name":"Hive.yar","rule_text":"/*\nHive ransomware\n*/\n\n\nrule Hive_v3\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.hive\"\n        description = \"Hive v3 ransomware Windows/Linux/FreeBSD payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        $h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20]\n                8D ?? 00 90 01 00 }\n        $h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10]\n                8D ?? 00 0C 00 00 }\n        $h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4?)\n                69 ?? 00 90 01 00 }\n\n        $x0 = { C6 84 24 ?? 00 00 00 FF [0-14] 89 ?? 24 ?? 00 00 00 [0-6]\n                89 ?? 24 ?? 0? 00 00 [0-20] C6 84 24 ?? 0? 00 00 34 }\n        $x1 = { C6 44 24 ?? FF [0-14] 89 ?? 24 ?? [0-6] 89 ?? 24 ?? [0-12]\n                C6 ( 84 24 ?? 00 00 00 | 44 24 ?? ) 34 }\n\n    condition:\n        (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or\n         (uint32(0) == 0x464C457F)) and\n        (\n            (2 of ($h*)) or (1 of ($x*))\n        )\n}\n\n\nrule Hive_ESXI_v3\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.hive.esxi\"\n        description = \"Hive v3 ransomware ESXI payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        $h0 = { 48 69 ?? B5 B4 1B 01 48 C1 E? 20 69 ?? 00 70 0E 00 29 ?? }\n        $h1 = { 48 69 ?? 25 30 40 00 48 C1 E? 20 69 ?? 00 F4 0F 00 29 ?? }\n\n        $a0 = \"\\\\.(vm|vs)\\\\w+$\\x00\" ascii\n        $a1 = \"vim-cmd vmsvc/getallvms | grep -o -E '^[0-9]+' | xargs -r -n 1 vim-cmd vmsvc/power.off\" ascii\n\n        $b0 = \"\\x00%s.key.%s\\x00\" ascii\n        $b1 = \"\\x00! export %s\" ascii\n        $b2 = \"\\x00+ export %s\" ascii\n        $b3 = \"HOW_TO_DECRYPT.txt\\x00\" ascii\n        $b4 = \"\\x00+notify /etc/motd\\x00\" ascii\n        $b5 = \"\\x00+notify %s\" ascii\n        $b6 = \"\\x00+ prenotify %s\" ascii\n        $b7 = \"\\x00Stopping VMs\\x00\" ascii\n\n    condition:\n        (uint32(0) == 0x464C457F) and\n        (\n            (2 of ($h*)) or\n            ((1 of ($a*)) and (2 of ($b*)))\n        )\n}\n\n\nrule Hive_v5\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.hive\"\n        description = \"Hive v5 ransomware Windows/Linux/ESXi payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        $h0 = { 00 03 D0 FF 48 01 ?? 48 C1 EA 15 48 69 D2 00 01 D0 FF\n                48 01 ?? 8A 04 ?? 32 04 ?? }\n        $h1 = { 68 00 FF 2F 00 53 [8-18] 68 00 FD 2F 00 53 [20-32]\n                8A 04 ?? 32 04 ?? }\n        $h2 = { 8A 04 10 48 8B 94 24 ?? 0? 00 00 32 04 0A\n                48 8B 8C 24 ?? 0? 00 00 30 04 29 48 FF C5\n                49 39 E? 0F 85 ?? ?? FF FF }\n        $h3 = { 8A 04 10 48 8B 8C 24 ?? 0? 00 00 32 04 ?? [0-8]\n                ( 41 30 | 30 ) 04 2? 48 FF C5 49 39 E? [0-4]\n                0F 85 ?? ?? FF FF }\n        $h4 = { 8A 04 01 32 04 16 8B 54 24 ?? 8B B4 24 ?? 0? 00 00\n                30 04 3A 47 39 7C 24 ?? 0F 85 ?? ?? FF FF }\n\n    condition:\n        (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or\n         (uint32(0) == 0x464C457F)) and\n        (\n            (1 of ($h*))\n        )\n}","sha256":"4c67f2b857360826ac4aefc437515752827034dc49f926ee1e3504d6e61e0419","byte_size":3058,"updated_at":"2026-06-24 05:16:02"}]}