YARA rules for WhisperGate
3 rules · scoped to tool · back to WhisperGate
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule APT_HKTL_Wiper_WhisperGate_Jan22_1 {
meta:
description = "Detects unknown wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
date = "2022-01-16"
score = 85
hash1 = "a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92"
id = "f04b619e-1df2-5c51-9cab-4a0fffd1c042"
strings:
/* AAAAA\x00Your hard drive has been corrupted. */
$xc1 = { 41 41 41 41 41 00 59 6F 75 72 20 68 61 72 64 20
64 72 69 76 65 20 68 61 73 20 62 65 65 6E 20 63
6F 72 72 75 70 74 65 64 }
$op1 = { 89 34 24 e8 3f ff ff ff 50 8d 65 f4 31 c0 59 5e 5f }
$op2 = { 8d bd e8 df ff ff e8 04 de ff ff b9 00 08 00 00 f3 a5 c7 44 24 18 00 00 00 00 c7 44 24 14 00 00 00 00 c7 44 24 10 03 00 00 00 c7 44 24 0c 00 00 00 00 }
$op3 = { c7 44 24 0c 00 00 00 00 c7 44 24 08 00 02 00 00 89 44 24 04 e8 aa fe ff ff 83 ec 14 89 34 24 e8 3f ff ff ff 50 }
condition:
uint16(0) == 0x5a4d and
filesize < 100KB and ( 1 of ($x*) or 2 of them ) or all of them
}
rule APT_HKTL_Wiper_WhisperGate_Jan22_2 {
meta:
description = "Detects unknown wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
date = "2022-01-16"
score = 90
hash1 = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78"
id = "822e5af5-9c51-5be3-94f1-7e0a714743e6"
strings:
/* powershell -enc UwB0AGEAcgB0AC */
$sc1 = { 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00
6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00
55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00
63 00 67 00 42 00 30 00 41 00 43 }
/* Ylfwdwgmpilzyaph */
$sc2 = { 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00
70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68 }
$s1 = "xownxloxadDxatxxax" wide
$s2 = "0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==" wide /* Decoded with base64, UTF-16-LE: Sleep -s 10 */
$s3 = "https://cdn.discordapp.com/attachments/" wide
$s4 = "fffxfff.fff" ascii fullword
$op1 = { 20 6b 85 b9 03 20 14 19 91 52 61 65 20 e1 ae f1 }
$op2 = { aa ae 74 20 d9 7c 71 04 59 20 71 cc 13 91 61 20 97 3c 2a c0 }
$op3 = { 38 9c f3 ff ff 20 f2 96 4d e9 20 5d ae d9 ce 58 20 4f 45 27 }
$op4 = { d4 67 d4 61 80 1c 00 00 04 38 35 02 00 00 20 27 c0 db 56 65 20 3d eb 24 de 61 }
condition:
uint16(0) == 0x5a4d and
filesize < 1000KB and 5 of them
or 7 of them
}
rule APT_HKTL_Wiper_WhisperGate_Stage3_Jan22 {
meta:
description = "Detects reversed stage3 related to Ukrainian wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/juanandres_gs/status/1482827018404257792"
date = "2022-01-16"
hash1 = "9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d"
id = "d5d562cd-03ef-5450-8044-3f538cea32d0"
strings:
$xc1 = { 65 31 63 70 00 31 79 72 61 72 62 69 4c 73 73 61 6c 43 00 6e 69 61 4d }
$s1 = "lld." wide
condition:
uint16(filesize-2) == 0x4d5a and
filesize < 5000KB and all of them
}