{"group":"mallox","count":1,"rules":[{"rule_name":"mallox.yar","rule_text":"rule ransomware_mallox {\n    meta:\n        id = \"7e2edc94-26e4-4024-8bc0-8e90d76f5a96\"\n        version = \"1.0\"\n        description = \"Rule to detect mallox ransomware samples.\"\n        author = \"Sekoia.io\"\n        creation_date = \"2023-02-20\"\n        modification_date = \"2023-05-24\"\n        classification = \"TLP:CLEAR\"\n        hash1 = \"2a549489e2455a2d84295604e29c727dd20d65f5a874209840ce187c35d9a439\"\n        hash2 = \"3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673\"\n        hash3 = \"4075d6e02c022ee45e0cd1c826abf749200639ee8ebc42375dac2430abafb5d6\"\n        hash4 = \"4db69a0643f6ec795e5450a0563605e91293f233aa60715ae09ed8effa3b7267\"\n        hash5 = \"77fdce66e7f909300e4493cbe7055254f7992ba65f9b7445a6755d0dbd9f80a5\"\n        hash6 = \"8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22\"\n        hash7 = \"a5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525\"\n        hash8 = \"df64e87ecb30f4cadf54f2c1b3d3cba8cc2d315db0fd4af2d11add57baa56f6a\"\n        hash9 = \"e7e00e0f817fcb305f82aec2e60045fcdb1b334b2621c09133b6b81284002009\"\n        \n    strings:\n        $s1 = \"C:\\\\HOW TO RECOVER !!.TXT\" wide ascii nocase\n        $s2 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\Application\\\\Raccine\" wide ascii nocase\n        $s3 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\vssadmin.exe\" wide ascii nocase\n        $s4 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\wmic.exe\" wide ascii nocase\n        $s5 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\wbadmin.exe\" wide ascii nocase\n        $s6 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\bcdedit.exe\" wide ascii nocase\n        $s7 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\powershell.exe\" wide ascii nocase\n        $s8 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\diskshadow.exe\" wide ascii nocase\n        $s9 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\net.exe\" wide ascii nocase\n        $s10 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\taskkill.exe\" wide ascii nocase\n        $s11 = \"bcdedit /set {current} recoveryenabled no\" wide ascii nocase\n        $mallox_fargo = \".FARGO\" wide ascii nocase\n        $mallox_mallox = \".mallox\" wide ascii nocase\n        $mallox_exploit = \"newexploit@tutanota.com\"\n        \n    condition:\n        uint16be(0) == 0x4d5a and all of ($s*) and 1 of ($mallox_*)\n}","sha256":"ea24a010eddc27b7cb8b6403ea67d70ee9195bc3584ab59c52002d246ac3d0b9","byte_size":2580,"updated_at":"2026-06-24 05:16:03"}]}