{"group":"nokoyawa","count":1,"rules":[{"rule_name":"nokoyawa.yar","rule_text":"rule Nokoyawa_Nemty {\n\tmeta:\n\t\tauthor = \"@Tera0017\"\n\t\tdescription = \"Nokoyawa, Nemty/Karma ransomware variant\"\n\t\tReference = \"https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/\"\n\tstrings:\n\t\t$code1 = { B8 ( 41 | 43 ) 00 00 00 [10-30] 83 F8 5A }\n\t\t$code2 = { 48 8B 4C 24 08 F0 0F C1 01 03 44 24 10 }\n\t\t$code3 = { 83 E8 20 88 [7] 48 C1 E0 05 48 03 44 24 }\n\t\t$code4 = { 48 C7 44 24 ?? 05 15 00 00 }\n\t\t$string1 = \"RGVhciB1c2VybmFtbWUsIHlvdXIgZmlsZXMgd2VyZSBlbmNyeXB0ZWQsIHNvbWUgY\"\n\t\t$string2 = \"-network\" wide fullword\n\t\t$string3 = \"-help\" wide fullword\n\t\t$winapi1 = \"PostQueuedCompletionStatus\" ascii fullword\n\t\t$winapi2 = \"GetSystemInfo\" ascii fullword\n\t\t$winapi3 = \"WNetEnumResourceW\" ascii fullword\n\t\t$winapi4 = \"GetCommandLineW\" ascii fullword\n\t\t$winapi5 = \"BCryptGenRandom\" ascii fullword\n\tcondition:\n\t\tall of ($winapi*) and 4 of ($code*, $string*)\n}","sha256":"f297199a2e3e00da704e60b7a5eb3dad628c7ce351bf2442f52338c091640ed3","byte_size":898,"updated_at":"2026-06-24 05:16:03"}]}