yara/rules/Windows_Ransomware_Rook.yar (19 lines of code) (raw):
rule Windows_Ransomware_Rook_ee21fa67 {
meta:
author = "Elastic Security"
id = "ee21fa67-bd82-40fb-9c6d-bab5abfe14b3"
fingerprint = "8ef731590e73f79a13d04db39e58b03d0a29fd8e46a0584b0fcaf57ac0efe473"
creation_date = "2022-01-14"
last_modified = "2022-04-12"
threat_name = "Windows.Ransomware.Rook"
reference_sample = "c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a = { 01 75 09 8B C3 FF C3 48 89 74 C5 F0 48 FF C7 48 83 FF 1A 7C DB }
condition:
all of them
}