{"group":"suncrypt","count":1,"rules":[{"rule_name":"SunCrypt.yar","rule_text":"/*\nSunCrypt ransomware\n*/\n\n\nrule SunCrypt\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.suncrypt.windows\"\n        description = \"SunCrypt ransomware Windows payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        $h0 = { B0 00 02 00 C7 00 A3 00 00 00 [8-16] 83 C? 20 }\n        $h1 = { C7 00 A3 00 00 00 [8-16]\n                ( 81 C7 B0 00 02 00 83 C? 20 | 83 C? 20 81 C7 B0 00 02 00) }\n\n        $s1 = \"-noshares\\x00\" wide\n        $s2 = \"\\x00-nomutex\\x00\" wide\n        $s3 = \"\\x00-noreport\\x00\" wide\n        $s4 = \"\\x00-noservices\\x00\" wide\n        $s5 = \"\\x00-justcrypt\\x00\" wide\n        $s6 = \"\\x00-keep_exe\\x00\" wide\n        $s7 = \"\\x00$Recycle.bin\\x00\" wide\n        $s8 = \"%s\\\\efi\\\\microsoft\\\\boot\\\\bootmgr.efi\\x00\" wide\n        $s9 = \"YOUR_FILES_ARE_ENCRYPTED.HTML\\x00\" wide\n        $s10 = \"\\x0D... %d ...\\x00\" ascii\n\n        $a1 = \"<a href=\\\"http://\" ascii xor(0x11-0x22)\n        $a2 = \".onion/chat.html?\" ascii xor(0x11-0x22)\n        $a3 = \"<h2>Why pay us?</h2>\" ascii xor(0x11-0x22)\n        $a4 = \"background-color: #1a1a1a;\" ascii xor(0x11-0x22)\n        $a5 = \"rem !important;\" ascii xor(0x11-0x22)\n        $a6 = \"TOR browser\" ascii xor(0x11-0x22)\n        $a7 = \"torproject.org\" ascii xor(0x11-0x22)\n\n    condition:\n        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\n        (\n            (1 of ($h*)) or\n            (5 of ($s*)) or\n            (4 of ($a*))\n        )\n}","sha256":"3532dfb5d67dfdd80b523cc0866c8a90e8242edd6e69d1df7a3419168c2bc269","byte_size":1443,"updated_at":"2026-06-24 05:16:05"}]}