d-eyes/yaraRules/Ransom.Sarbloh.yar

rule Ransom_Sarbloh
{
    meta:
        description= "Detect the risk of Ransomware Sarbloh Rule 1"
    strings:
        $note_path = {25005500530045005200500052004F00460049004C00450025000000250073005C004400650073006B0074006F0070005C0052004500410044004D0045005F0053004100520042004C004F0048002E007400780074}
        $key_end = {410067004D0042004100410045003D002D002D002D002D002D0045004E00440020005000550042004C004900430020004B00450059002D002D002D002D002D00}
        $key_start = {4B00450059002D002D002D002D002D004D004900490042004900540041004E00420067006B007100}
        $note = {59004F00550052002000460049004C00450053002000410052004500200047004F004E0045002100210021}
    condition:
        uint16(0) == 0x5a4d and any of them
}