{"group":"maze","count":1,"rules":[{"rule_name":"Maze.yar","rule_text":"rule Ransom_Maze {\n   \n   meta:\n   \n      description = \"Detecting MAZE Ransomware\"\n      author = \"McAfee ATR\"\n      date = \"2020-04-19\"\n      rule_version = \"v1\"\n      malware_type = \"ransomware\"\n      malware_family = \"Ransom:W32/Maze\"\n      actor_type = \"Cybercrime\"\n      actor_group = \"Unknown\"\n      hash = \"5badaf28bde6dcf77448b919e2290f95cd8d4e709ef2d699aae21f7bae68a76c\"\n\n   strings:\n\n      $x1 = \"process call create \\\"cmd /c start %s\\\"\" fullword wide\n      $s1 = \"%spagefile.sys\" fullword wide\n      $s2 = \"%sswapfile.sys\" fullword wide\n      $s3 = \"%shiberfil.sys\" fullword wide\n      $s4 = \"\\\\wbem\\\\wmic.exe\" fullword wide\n      $s5 = \"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko\" fullword ascii\n      $s6 = \"NO MUTEX | \" fullword wide\n      $s7 = \"--nomutex\" fullword wide\n      $s8 = \".Logging enabled | Maze\" fullword wide\n      $s9 = \"DECRYPT-FILES.txt\" fullword wide\n\n      $op0 = { 85 db 0f 85 07 ff ff ff 31 c0 44 44 44 44 5e 5f }\n      $op1 = { 66 90 89 df 39 ef 89 fb 0f 85 64 ff ff ff eb 5a }\n      $op2 = { 56 e8 34 ca ff ff 83 c4 08 55 e8 0b ca ff ff 83 }\n\n   condition:\n      ( uint16(0) == 0x5a4d and\n      filesize < 500KB and\n      ( 1 of ($x*) and\n      4 of them ) and\n      all of ($op*)) or\n      ( all of them )\n}","sha256":"1552132ff15bdb3cd8e68797dc146752cb2cc0b0d17b85c3022a9e34adec663e","byte_size":1277,"updated_at":"2026-06-24 05:16:03"}]}