{"group":"trinity","count":1,"rules":[{"rule_name":"Trinity.yar","rule_text":"/*\nTrinity ransomware\n*/\n\n\nrule Trinity\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.trinity.windows\"\n        description = \"Trinity ransomware Windows payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        $s0 = \"\\x00pbsecGOOD\\x00\" ascii\n        $s1 = \"\\x00secpbGOOD\\x00\" ascii\n        $s2 = \"12210111111610599117115\" ascii\n        $s3 = \"\\x00OnlyCr :\\x00\" ascii\n        $s4 = \"\\x00FullCr :\\x00\" ascii\n        $s5 = \"\\x00enableOnlyTest \\x00\" ascii\n        $s6 = \"\\x00EnableAutoStart \\x00\" ascii\n        $s7 = \"\\x00enableSelfDelete \\x00\" ascii\n        $s8 = \"\\x00enableStartOnRun \\x00\" ascii\n        $s9 = \"\\x00enableWallaper \\x00\" ascii\n        $s10 = \"\\x00enableNetwork \\x00\" ascii\n        $s11 = \"\\x00enableCustomCMD1 \\x00\" ascii\n        $s12 = \"\\x00enableFullEncrExt \\x00\" ascii\n        $s13 = \"\\x00enableCryptOnlyExtension \\x00\" ascii\n        $s14 = \"\\x00enableCryptOnlyExtension \\x00\" ascii\n        $s15 = \"\\x00%s%x%x%x%x.goodgame\\x00\" wide\n\n        $h0 = { B? 01 00 00 00 33 ?? 0F B6 [10] C1 E? 08 83 F? 18 72 EC }\n        $h1 = { 00 6A 00 68 63 04 00 00 FF 35 [4] FF }\n\n    condition:\n        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\n        (\n            ((1 of ($h*)) and (4 of ($s*))) or\n            (10 of them)\n        )\n}","sha256":"1fad14764c74c147d63457b608696bf33f1abad5d67643aca49bce79e25d8c39","byte_size":1304,"updated_at":"2026-06-24 05:16:06"}]}