{"group":"snatch","count":1,"rules":[{"rule_name":"snatch.yar","rule_text":"import \"pe\"\n\nrule snatch_ransomware_x3_loader {\n\tmeta:\n\t\tdescription = \"snatch-ransomware - file x3.exe\"\n\t\tauthor = \"DFIR Report\"\n\t\treference = \"https://thedfirreport.com/\"\n\t\tdate = \"2020-06-17\"\n\t\thash1 = \"b9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1\"\n\tstrings:\n\t\t$s1 = \"jd4ob7162ns.dll\" wide fullword\n\t\t$s2 = \"kb05987631s.dll\" wide fullword\n\t\t$s3 = \"fw0a53482aa.dll\" wide fullword\n\t\t$s4 = \"C:\\\\Builds\\\\TP\\\\rtl\\\\common\\\\TypInfo.pas\" wide fullword\n\t\t$s5 = \"C:\\\\Builds\\\\TP\\\\rtl\\\\sys\\\\SysUtils.pas\" wide fullword\n\t\t$s6 = \"C:\\\\Builds\\\\TP\\\\rtl\\\\common\\\\Classes.pas\" wide fullword\n\t\t$s7 = \"/K schtasks /Create /RU SYSTEM /SC DAILY /ST 00:00 /TN \\\"Regular Idle Maintenance\\\" /TR \\\"\" wide fullword\n\t\t$s8 = \"/K schtasks /Create /RU SYSTEM /SC ONSTART /TN \\\"Regular Idle Maintenances\\\" /TR \\\"\" wide fullword\n\t\t$s9 = \"RootP0C\" ascii fullword\n\t\t$s10 = \"Component already destroyed: \" wide fullword\n\t\t$s11 = \"Stream write error The specified file was not found2Length of Strings and Objects arrays must be equal#''%s'' is not a valid int\" wide\n\t\t$s12 = \"PPackageTypeInfo$\\\"@\" ascii fullword\n\t\t$s13 = \"PositionP0C\" ascii fullword\n\t\t$s14 = \"DesignInfoP0C\" ascii fullword\n\t\t$s15 = \"OwnerP0C\" ascii fullword\n\t\t$s16 = \"3\\\"4\\\\4~4\" ascii fullword\n\t\t$s17 = \"TComponentClassP0C\" ascii fullword\n\t\t$s18 = \":$:2:6:L:\\\\:l:t:x:|:\" ascii fullword\n\t\t$s19 = \":P:T:X:\\\\:t:\" ascii fullword\n\t\t$s20 = \":,:<:@:L:T:X:\\\\:`:d:h:l:p:t:x:|:\" ascii fullword\n\tcondition:\n\t\tuint16(0) == 0x5a4d and filesize < 900KB and (pe.imphash() == \"d6136298ea7484a715d40720221233be\" or 8 of them)\n}\n\n\nrule snatch_ransomware_safe_go_ransomware {\n\tmeta:\n\t\tdescription = \"snatch-ransomware - file safe.exe\"\n\t\tauthor = \"DFIR Report\"\n\t\treference = \"https://thedfirreport.com/\"\n\t\tdate = \"2020-06-17\"\n\t\thash1 = \"3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6\"\n\tstrings:\n\t\t$s1 = \"dumpcb\" ascii fullword\n\t\t$s2 = \"dfmaftpgc\" ascii fullword\n\t\t$s3 = \"ngtrunw\" ascii fullword\n\t\t$s4 = \"_dumpV\" ascii fullword\n\t\t$s5 = \".dll3u^\" ascii fullword\n\t\t$s6 = \"D0s[Host#\\\"0\" ascii fullword\n\t\t$s7 = \"CPUIRC32D,OPg\" ascii fullword\n\t\t$s8 = \"WSAGetOv\" ascii fullword\n\t\t$s9 = \"Head9iuA\" ascii fullword\n\t\t$s10 = \"SpyL]ZIo\" ascii fullword\n\t\t$s11 = \"cmpbody\" ascii fullword\n\t\t$s12 = \"necwnamep\" ascii fullword\n\t\t$s13 = \"ZonK+ pW\" ascii fullword\n\t\t$s14 = \"printabl\" ascii fullword\n\t\t$s15 = \"atomicn\" ascii fullword\n\t\t$s16 = \"powrprof\" ascii fullword\n\t\t$s17 = \"recdvoc\" ascii fullword\n\t\t$s18 = \"nopqrsx\" ascii fullword\n\t\t$s19 = \"ghijklm\" ascii fullword\n\t\t$s20 = \"spdelta\" ascii fullword\n\tcondition:\n\t\tuint16(0) == 0x5a4d and filesize < 8000KB and (pe.imphash() == \"6ed4f5f04d62b18d96b26d6db7c18840\" or 8 of them)\n}","sha256":"f29bf72792d170b764f972601fadc7cb67aebe25e833969e0ff98c6394a76b27","byte_size":2663,"updated_at":"2026-06-24 05:16:05"}]}