{"group":"raworld","count":1,"rules":[{"rule_name":"raworld.yar","rule_text":"rule ransomware_win_raworld {\n    meta:\n        id = \"a9ed9c5a-7a0e-4c2e-90f4-d52f5589b2b8\"\n        version = \"1.0\"\n        description = \"Detects files related to stage 1 of a campaign from the ransomware group RA World.\"\n        author = \"Sekoia.io\"\n        creation_date = \"2024-07-24\"\n        classification = \"TLP:CLEAR\"\n        \n    strings:\n        $s1 = \"Loder.exe\" ascii fullword\n        $s2 = \"Stage2.exe\" wide\n        $s3 = \"SYSVOL\" wide\n        $s4 = \"Finish.exe\" wide\n        $s5 = \"Exclude.exe\" wide\n        $s6 = \"Stage3.exe\" wide\n        $s7 = \"Pay.txt\" ascii fullword\n        $s8 = \"RA World\" ascii fullword\n        $s9 = \"Stage1.exe\" ascii fullword\n        \n    condition:\n        4 of them\n}","sha256":"c1a877abb3f3027498441643f6fcedd31facfb9481c530d883941b1493f466bc","byte_size":710,"updated_at":"2026-06-24 05:16:04"}]}