YARA rules for Wiper
18 rules · scoped to tool · back to Wiper
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule MAL_WIPER_IsaacWiper_Mar22_1 {
meta:
description = "Detects IsaacWiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/"
date = "2022-03-03"
score = 85
hash1 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
hash2 = "7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0"
id = "97d8d8dd-db65-5156-8f97-56c620cf2d56"
strings:
$s1 = "C:\\ProgramData\\log.txt" wide fullword
$s2 = "Cleaner.dll" ascii fullword
$s3 = "-- system logical drive: " wide fullword
$s4 = "-- FAILED" wide fullword
$op1 = { 8b f1 80 3d b0 66 03 10 00 0f 85 96 00 00 00 33 c0 40 b9 a8 66 03 10 87 01 33 db }
$op2 = { 8b 40 04 2b c2 c1 f8 02 3b c8 74 34 68 a2 c8 01 10 2b c1 6a 04 }
$op3 = { 8d 4d f4 ff 75 08 e8 12 ff ff ff 68 88 39 03 10 8d 45 f4 50 e8 2d 1d 00 00 cc }
condition:
uint16(0) == 0x5a4d and
filesize < 700KB and
(
pe.imphash() == "a4b162717c197e11b76a4d9bc58ea25d" or
3 of them
)
}
rule MAL_LNX_BiBi_Linux_Wiper {
meta:
author ="Felipe Duarte, Security Joes"
description ="Detects BiBi-Linux Wiper"
hash ="23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad"
reference = "https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group"
strings:
$str1 = "[+] Stats: "
$str2 = { 2e 00 00 00 42 00 00 00 69 00 00 00 42 00 00 00 69 00 }
$str3 = "[!] Waiting For Queue "
$str4 = "[+] Round "
$str5 = "[+] Path: "
$str6 = "[+] CPU cores: "
$str7 = "Threads: "
condition:
all of them
}
rule MAL_WIPER_BiBi_Oct23 {
meta:
description = "Detects BiBi wiper samples for Windows and Linux"
author = "Florian Roth"
reference = "https://x.com/ESETresearch/status/1719437301900595444?s=20"
date = "2023-11-01"
hash1 = "23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad"
hash2 = "40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17"
id = "e1ea8016-e074-5208-8c98-54922bbcc407"
strings:
$s1 = "send attempt while closed" ascii fullword
$s2 = "[+] CPU cores: %d, Threads: %d" ascii fullword
$s3 = "[+] Stats: %d | %d" ascii fullword
$opw1 = { 33 c0 88 45 48 b8 01 00 00 00 86 45 48 45 8b f5 48 8d 3d de f5 ff ff 0f 57 c9 f3 0f 7f 4d b8 }
$opw2 = { 2d ce b5 00 00 c5 fa e6 f5 e9 40 fe ff ff 0f 1f 44 00 00 75 2e c5 fb 10 0d 26 b4 00 00 44 8b 05 5f b6 00 00 e8 ca 0d 00 00 }
$opl1 = { 4c 8d 44 24 08 48 89 f7 48 ff c2 48 83 c6 04 e8 c7 fb ff ff 41 89 c1 0f b6 42 ff 41 0f af c1 }
$opl2 = { e8 6f fb ff ff 49 8d 78 f8 89 c0 48 01 c2 48 89 15 09 fb 24 00 e8 5a fb ff ff 49 8d 78 fc 6b f0 06 }
condition:
( uint16(0) == 0x5a4d or uint16(0) == 0x457f )
and filesize < 4000KB
and 2 of them
}
rule MAL_WIPER_Unknown_Jun25 {
meta:
description = "Detects unknown disk wiper first spotted in June 2025 and uploaded from Israel"
author = "Florian Roth"
reference = "https://x.com/cyb3rops/status/1935707307805134975"
date = "2025-06-19"
score = 75
hash1 = "12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721"
strings:
$x1 = "\\CWipeNew\\Release\\" ascii fullword
$s1 = "Failed to get disk geometry: " wide fullword
$s2 = "--- Working on " wide fullword
condition:
uint16(0) == 0x5a4d
and filesize < 200KB
and (
1 of ($x*)
or all of ($s*)
)
}
rule SUSP_LNX_SH_Disk_Wiper_Script_Jun25 {
meta:
description = "Detects unknown disk wiper script for Linux systems"
author = "Florian Roth"
reference = "Internal Research"
date = "2025-06-19"
score = 65
hash1 = "f662f69fc7f4240cd8c00661db9484e76b5d02f903590140b4086fefcf9d9331"
strings:
$s1 = "THIS SCRIPT IS LIVE AND ARMED!" ascii fullword
$s2 = "FAIR WARNING!" ascii fullword
$s3 = "lists devices" ascii fullword
condition:
uint16(0) == 0x2123
and filesize < 2KB
and all of them
}
rule SUSP_PY_PYInstaller_Swiper_Jun25 {
meta:
description = "Detects suspicious Python based executable with similarities to a known disk wiper"
author = "Florian Roth"
reference = "https://x.com/cyb3rops/status/1935707307805134975"
date = "2025-06-19"
score = 65
hash1 = "4f669ecbe12e95d51f37be76933de4c2626d20bb01729086ce2efc603c4ffdf3"
strings:
$a1 = "bzlib1.dll" ascii fullword
$a2 = "VCRUNTIME140_1.dll" wide fullword
$a3 = "%s%c%s.exe" ascii fullword
$sc1 = { 73 77 69 70 65 72 00 00 00 } // "swiper\0\0\0"
condition:
uint16(0) == 0x5a4d
and filesize < 40000KB
and all of them
}
rule APT_MAL_IR_DruidFly_Wiper_Jun25 {
meta:
description = "Detects Wiper used by the Iranian DruidFly group"
author = "Florian Roth"
reference = "https://x.com/threatintel/status/1936049254432231444"
date = "2025-06-21"
score = 80
hash1 = "81eb22828306f3197b35fef2035cef2c548f587f8511902852964850023389d7"
strings:
$xc1 = { 2E 62 61 63 6B 75 70 00 2E 63 6F 6E 66 69 67 00 // .backup .config
2E 64 62 00 00 00 00 00 2E 73 71 6C 69 74 65 00 } // // .db.... .sqlite
$xc2 = { 00 5C 5C 2E 5C 25 63 3A 00 25 63 3A 5C 00 00 00
00 4E 54 46 53 00 00 00 00 5C } // \\.\%c: %c:\0\0\0 NTFS\0\0\0\
$x1 = "%s:%d:%s(): [+] Overwriting \"%s\" \"..." ascii
$s1 = "C:\\Windows\\System32\\drivers\\beep.sys" ascii fullword
$s2 = "\\DosDevices\\sectorio" wide fullword
condition:
uint16(0) == 0x5a4d
and filesize < 2000KB
and (
1 of ($x*)
or 2 of them
)
or 3 of them
}
rule MAL_WIPER_CaddyWiper_Mar22_1 {
meta:
description = "Detects CaddyWiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"
date = "2022-03-15"
score = 85
hash1 = "1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176"
hash2 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
hash3 = "ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72"
hash4 = "f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902"
id = "83495a0d-a295-5ec7-9761-ce79918e1034"
strings:
$op1 = { ff 55 94 8b 45 fc 50 ff 55 f8 8a 4d ba 88 4d ba 8a 55 ba 80 ea 01 }
$op2 = { 89 45 f4 83 7d f4 00 74 04 eb 47 eb 45 6a 00 8d 95 1c ff ff ff 52 }
$op3 = { 6a 20 6a 02 8d 4d b0 51 ff 95 68 ff ff ff 85 c0 75 0a e9 4e 02 00 00 }
$op4 = { e9 67 01 00 00 83 7d f4 05 74 0a e9 5c 01 00 00 e9 57 01 00 00 8d 45 98 50 6a 20 }
condition:
uint16(0) == 0x5a4d and
filesize < 50KB and 3 of them or all of them
}
rule HiddenCobra_r4_wiper_1 {
meta:
author = "NCCIC Partner"
date = "2017-12-12"
description = "Detects HiddenCobra Wiper"
reference = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
id = "4978c190-7b66-5cea-96df-809f85620986"
strings:
$mbr_code = { 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 5D 7C 33 C9 41 81 F9 00 ?? 74 24 B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 83 55 06 00 EB D5 BE 4D 7C B4 43 B0 00 CD 13 33 C9 BE 5D 7C EB C5 }
$controlServiceFoundlnBoth = { 83 EC 1C 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 44 8B 44 24 24 53 56 6A 24 50 57 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 85 F6 74 1C 8D 4C 24 0C 51 6A 01 56 FF 15 ?? ?? ?? ?? 68 E8 03 00 00 FF 15 ?? ?? ?? ?? 56 FF D3 57 FF D3 5E 5B 33 C0 5F 83 C4 1C C3 33 C0 5F 83 C4 1C C3 }
condition:
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and any of them
}
rule HiddenCobra_r4_wiper_2 {
meta:
author = "NCCIC Partner"
date = "2017-12-12"
description = "Detects HiddenCobra Wiper"
reference = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
id = "75acc3cb-90dd-58e8-b094-ed3f28650b1b"
strings:
// BIOS Extended Write
$PhysicalDriveSTR = "\\\\.\\PhysicalDrive" wide
$ExtendedWrite = { B4 43 B0 00 CD 13 }
condition:
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and all of them
}
rule APT_HKTL_Wiper_WhisperGate_Jan22_1 {
meta:
description = "Detects unknown wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
date = "2022-01-16"
score = 85
hash1 = "a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92"
id = "f04b619e-1df2-5c51-9cab-4a0fffd1c042"
strings:
/* AAAAA\x00Your hard drive has been corrupted. */
$xc1 = { 41 41 41 41 41 00 59 6F 75 72 20 68 61 72 64 20
64 72 69 76 65 20 68 61 73 20 62 65 65 6E 20 63
6F 72 72 75 70 74 65 64 }
$op1 = { 89 34 24 e8 3f ff ff ff 50 8d 65 f4 31 c0 59 5e 5f }
$op2 = { 8d bd e8 df ff ff e8 04 de ff ff b9 00 08 00 00 f3 a5 c7 44 24 18 00 00 00 00 c7 44 24 14 00 00 00 00 c7 44 24 10 03 00 00 00 c7 44 24 0c 00 00 00 00 }
$op3 = { c7 44 24 0c 00 00 00 00 c7 44 24 08 00 02 00 00 89 44 24 04 e8 aa fe ff ff 83 ec 14 89 34 24 e8 3f ff ff ff 50 }
condition:
uint16(0) == 0x5a4d and
filesize < 100KB and ( 1 of ($x*) or 2 of them ) or all of them
}
rule APT_HKTL_Wiper_WhisperGate_Jan22_2 {
meta:
description = "Detects unknown wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
date = "2022-01-16"
score = 90
hash1 = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78"
id = "822e5af5-9c51-5be3-94f1-7e0a714743e6"
strings:
/* powershell -enc UwB0AGEAcgB0AC */
$sc1 = { 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00
6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00
55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00
63 00 67 00 42 00 30 00 41 00 43 }
/* Ylfwdwgmpilzyaph */
$sc2 = { 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00
70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68 }
$s1 = "xownxloxadDxatxxax" wide
$s2 = "0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==" wide /* Decoded with base64, UTF-16-LE: Sleep -s 10 */
$s3 = "https://cdn.discordapp.com/attachments/" wide
$s4 = "fffxfff.fff" ascii fullword
$op1 = { 20 6b 85 b9 03 20 14 19 91 52 61 65 20 e1 ae f1 }
$op2 = { aa ae 74 20 d9 7c 71 04 59 20 71 cc 13 91 61 20 97 3c 2a c0 }
$op3 = { 38 9c f3 ff ff 20 f2 96 4d e9 20 5d ae d9 ce 58 20 4f 45 27 }
$op4 = { d4 67 d4 61 80 1c 00 00 04 38 35 02 00 00 20 27 c0 db 56 65 20 3d eb 24 de 61 }
condition:
uint16(0) == 0x5a4d and
filesize < 1000KB and 5 of them
or 7 of them
}
rule APT_HKTL_Wiper_WhisperGate_Stage3_Jan22 {
meta:
description = "Detects reversed stage3 related to Ukrainian wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/juanandres_gs/status/1482827018404257792"
date = "2022-01-16"
hash1 = "9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d"
id = "d5d562cd-03ef-5450-8044-3f538cea32d0"
strings:
$xc1 = { 65 31 63 70 00 31 79 72 61 72 62 69 4c 73 73 61 6c 43 00 6e 69 61 4d }
$s1 = "lld." wide
condition:
uint16(filesize-2) == 0x4d5a and
filesize < 5000KB and all of them
}
rule APT_CryWiper_Dec22 {
meta:
description = "Detects CryWiper malware samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist-ru.translate.goog/novyj-troyanec-crywiper/106114/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en"
date = "2022-12-05"
score = 75
id = "d56ccf4e-30ba-5308-ad68-ffc2ae5a1718"
strings:
$x1 = "Software\\Sysinternals\\BrowserUpdate"
$sx1 = "taskkill.exe /f /im MSExchange*"
$s1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" ascii
$s2 = "fDenyTSConnections" ascii
condition:
1 of ($x*) or all of ($s*)
}
rule MAL_Ransomware_GermanWiper {
meta:
description = "Detects RansomWare GermanWiper in Memory or in unpacked state"
author = "Frank Boldewin (@r3c0nst), modified by Florian Roth"
reference = "https://twitter.com/r3c0nst/status/1158326526766657538"
date = "2019-08-05"
hash_packed = "41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c"
hash_unpacked = "708967cad421bb2396017bdd10a42e6799da27e29264f4b5fb095c0e3503e447"
id = "e7587691-f69a-53e7-bab2-875179fbfa19"
strings:
$x_Mutex1 = "HSDFSD-HFSD-3241-91E7-ASDGSDGHH" ascii
$x_Mutex2 = "cFgxTERNWEVhM2V" ascii
// code patterns for process kills
$PurgeCode = { 6a 00 8b 47 08 50 6a 00 6a 01 e8 ?? ?? ?? ??
50 e8 ?? ?? ?? ?? 8b f0 8b d7 8b c3 e8 }
$ProcessKill1 = "sqbcoreservice.exe" ascii
$ProcessKill2 = "isqlplussvc.exe" ascii
$KillShadowCopies = "vssadmin.exe delete shadows" ascii
$Domain1 = "cdnjs.cloudflare.com" ascii
$Domain2 = "expandingdelegation.top" ascii
$RansomNote = "Entschluesselungs_Anleitung.html" ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and
( 1 of ($x*) or 3 of them )
}
rule Shamoon2_Wiper {
meta:
description = "Detects Shamoon 2.0 Wiper Component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/jKIfGB"
date = "2016-12-01"
score = 70
hash1 = "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a"
hash2 = "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd"
id = "6660a64c-daa4-59e6-aa65-55194cac600c"
strings:
$a1 = "\\??\\%s\\System32\\%s.exe" fullword wide
$x1 = "IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB" wide
$s1 = "UFWYNYNTS" fullword wide
$s2 = "\\\\?\\ElRawDisk" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 3 of them )
}
rule APT_UA_Hermetic_Wiper_Feb22_1 {
meta:
description = "Detects Hermetic Wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
date = "2022-02-24"
score = 75
hash1 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
hash2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
hash3 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
hash4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
id = "2cbe4a69-e31a-5f5f-ab1a-9d71d16fb30f"
strings:
$xc1 = { 00 5C 00 5C 00 2E 00 5C 00 50 00 68 00 79 00 73
00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76
00 65 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56
00 5C 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 00 00 00 00 25 00 73 00 25 00 2E 00 32 00 73
00 00 00 00 00 24 00 42 00 69 00 74 00 6D 00 61
00 70 00 00 00 24 00 4C 00 6F 00 67 00 46 00 69
00 6C 00 65 }
$sc1 = { 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00
00 64 00 72 00 76 00 00 00 53 00 79 00 73 00 74
00 65 00 6D 00 33 00 32 }
$s1 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
$s2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
$s3 = "DRV_XP_X64" wide fullword
$s4 = "%ws%.2ws" wide fullword
$op1 = { 8b 7e 08 0f 57 c0 8b 46 0c 83 ef 01 66 0f 13 44 24 20 83 d8 00 89 44 24 18 0f 88 3b 01 00 00 }
$op2 = { 13 fa 8b 55 f4 4e 3b f3 7f e6 8a 45 0f 01 4d f0 0f 57 c0 }
condition:
( uint16(0) == 0x5a53 or uint16(0) == 0x5a4d ) and
filesize < 400KB and ( 1 of ($x*) or 3 of them )
}
rule APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1 {
meta:
description = "Detects scheduled task pattern found in Hermetic Wiper malware related intrusions"
author = "Florian Roth (Nextron Systems)"
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia"
date = "2022-02-25"
score = 85
id = "a628f773-9c71-5979-a4db-37b6b6bd6a56"
strings:
$a0 = "<Task version=" ascii wide
$sa1 = "CSIDL_SYSTEM_DRIVE\\temp" ascii wide
$sa2 = "postgresql.exe 1> \\\\127.0.0.1\\ADMIN$" ascii wide
$sa3 = "cmd.exe /Q /c move CSIDL_SYSTEM_DRIVE" ascii wide
condition:
$a0 and 1 of ($s*)
}