100 Days of YARA – Day 25: Hive Ransomware Obfuscated Strings

Hive Ransomware is written in golang and appears to use a string obfuscation library.

This rule detected the samples I obtained from VX-Underground: https://samples.vx-underground.org/samples/Families/HiveRansomware/Paper/

rule hive_ransomware_string_obfuscation
{
	meta:
		description = "Hive Ransomware obfuscated strings"

	strings:
		$obfuscated1 = /[a-zA-Z0-9]{8}\.[a-zA-Z0-9_]{8}\.String\.func/
		$obfuscated2 = /[a-zA-Z0-9]{8}\.\(\*[a-zA-Z0-9]{8}\)\.[a-zA-Z0-9]{10}/

	condition:
		#obfuscated1 > 10 or #obfuscated2 > 10
}

YARA Rules Index

One thought on “100 Days of YARA – Day 25: Hive Ransomware Obfuscated Strings

  1. Pingback: Week 03 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s