id: zrypt-malware

info:
  name: Zcrypt Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara
  tags: malware,file,zrypt
file:
  - extensions:
      - all

    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "How to Buy Bitcoins"
          - "ALL YOUR PERSONAL FILES ARE ENCRYPTED"
          - "Click Here to Show Bitcoin Address"
          - "MyEncrypter2.pdb"
        condition: or

      - type: word
        part: raw
        words:
          - ".p7b"
          - ".p7c"
          - ".pdd"
          - ".pef"
          - ".pem"
          - "How to decrypt files.html"
        condition: and
# digest: 4a0a00473045022100a6f3fad087e3da19a0f05c3768c874c05a0d6e60a130b1b00d0449a211170b4802202b5ef15e1e48f83938b76770e4a682a2e4fe1a2cfb4bbc8cdcac7c8911fc0b8c:922c64590222798bb761d5b6d8e72950