{"group":"qilin","count":1,"rules":[{"rule_name":"Qilin.yar","rule_text":"/*\nQilin ransomware\n*/\n\nimport \"pe\"\n\n\nrule Qilin_Loader\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.qilin.windows\"\n        description = \"Qilin ransomware Windows loader\"\n        severity = 10\n        score = 100\n\n    strings:\n        $h0 = { 85 C0 75 12 E8 [4] 85 C0 0F 84 ?? 0? 00 00 A3 [4]\n                68 00 ?? ( 2? | 3? | 4? ) 00 6A 00 50 E8 [4] 85 C0\n                0F 84 ?? 0? 00 00 31 D2 BF 00 [2] FF ( BB | 8D ) [0-8]\n                ( 89 44 24 ?? C7 44 24 ?? ?0 ?? ?? 00\n                  C7 44 24 ?? 00 00 00 00 |\n                  ( 89 45 ?? C7 45 ?? ?0 ?? ?? 00 |\n                    C7 45 ?? ?0 ?? ?? 00 89 45 ?? )\n                  C7 45 ?? 00 00 00 00 )\n                EB }\n\n    condition:\n        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\n        for any i in (0..pe.number_of_sections-1):\n        (\n            (pe.sections[i].raw_data_size >= 0x2A0000) and\n            (pe.sections[i].raw_data_size <= 0x500000) and\n            (pe.sections[i].name == \".rdata\")\n        ) and\n        (1 of ($h*))\n}\n\nrule QilinRansomwareESXi {\n\tmeta:\n\t\tdescription = \"rule to detect Qilin Ransomware\"\n\t\tauthor = \"ShadowStackRe.com\"\n\t\tdate = \"2023-12-06\"\n\t\tRule_Version = \"v1\"\n\t\tmalware_type = \"ransomware\"\n\t\tmalware_family = \"Qilin\"\n\t\tLicense = \"MIT License, https://opensource.org/license/mit/\"\n\tstrings:\n\t\t$strMotd = \"/etc/motd\"\n\t\t$strEncryptQuestion = \"Are you sure to start encryption\"\n\t\t$strConfigStart = \"--- Configuration start ---\"\n\t\t$strEsxiUsage = \"esxcli\"\n\t\t$strEncryptRenameFail = \"Failed to rename encrypted file to\"\n\t\t$strStartJob = \"Started job...\"\n\t\t$strBug = \"\\x1B[%uG 100%%\"\n\tcondition:\n\t\tall of them\n}","sha256":"323251dfe5697b3c8a1dfbeac0d9f4d9c594c33417dc303b06c1ce230b8a09f5","byte_size":1678,"updated_at":"2026-06-24 05:16:04"}]}