Add .yar to detect a stupid malware written in python

malware/RANSOM_graverobber.yar

@@ -0,0 +1,25 @@
+rule MAL_Graverobber_Main_Python
+{
+    meta:
+        family      = "Graverobber"
+        variant     = "graverobber.py"
+        description = "Detects Graverobber main Python ransomware payload"
+        author      = "rf-peixoto"
+        reference   = "github.com/rf-peixoto/Graverobber"
+        confidence  = "high"
+
+    strings:
+        $s_title      = "The Graverobber - DO NOT CLOSE THIS WINDOW!" ascii
+        $s_visit      = "You have been visited by the Graverobber. " ascii
+        $s_nodefile   = "node_{0}.txt" ascii
+        $s_nodesig    = "Node Signature: {0}" ascii
+        $s_aes        = "from AesEverywhere import aes256" ascii
+        $s_bloxplorer = "from bloxplorer import bitcoin_explorer" ascii
+        $s_file_form  = "http://{0}.com/file_form.php" ascii
+        $s_ping       = "ping -c 1 " ascii
+
+    condition:
+        // Require strong family markers: UI text + crypto + infra pieces
+        all of ($s_title, $s_visit, $s_nodefile, $s_nodesig)
+        and $s_aes and $s_bloxplorer and $s_file_form
+}

malware/RANSOM_graverobber_count_zero.yar

@@ -0,0 +1,26 @@
+rule MAL_Graverobber_CountZero_Python
+{
+    meta:
+        family      = "Graverobber"
+        variant     = "countzero.py"
+        description = "Detects CountZero variant"
+        author      = "rf-peixoto"
+        reference   = "github.com/rf-peixoto/Graverobber"
+        confidence  = "high"
+
+    strings:
+        $s_readme    = "CountZero.README.txt" ascii
+        $s_readmeurl = "file://{0}/CountZero.README.txt" ascii
+        $s_btc       = "BTC Address" ascii
+        $s_blox      = "from bloxplorer import bitcoin_explorer" ascii
+        $s_form1     = "http://127.0.0.1/file_form.php" ascii
+        $s_form2     = "http://{0}.com/file_form.php" ascii
+        $s_ping      = "ping -c 1 " ascii
+        $s_fileup    = "fileToUpload" ascii
+
+    condition:
+        // Ransom note + BTC + C2 infra + bloxplorer
+        $s_readme and $s_btc
+        and any of ($s_form1, $s_form2)
+        and $s_blox and $s_fileup and $s_ping
+}

malware/RANSOM_graverobber_qv1m3r4.yar

@@ -0,0 +1,22 @@
+rule MAL_Graverobber_Qv1m3r4_Python
+{
+    meta:
+        family      = "Graverobber"
+        variant     = "qv1m3r4.py"
+        description = "Detects qv1m3r4 variant"
+        author      = "rf-peixoto"
+        reference   = "github.com/rf-peixoto/Graverobber"
+        confidence  = "high"
+
+    strings:
+        $s_egg1      = "egg_{0}.txt" ascii
+        $s_nodesig   = "Node Signature: {0}\\n" ascii
+        $s_qv        = "qv1m3r4" ascii
+        $s_note_1    = "Send a message to [email protected] to get in touch." ascii
+        $s_note_url  = "file://{0}/egg_{1}.txt" ascii
+        $s_aes       = "from AesEverywhere import aes256" ascii
+
+    condition:
+        $s_qv and $s_egg1 and $s_nodesig
+        and $s_aes and any of ($s_note_1, $s_note_url)
+}

malware/WIPER_graverobber_river_lethe.yar

@@ -0,0 +1,26 @@
+rule MAL_Graverobber_RiverLethe_Python
+{
+    meta:
+        family      = "Graverobber"
+        variant     = "river_lethe.py"
+        description = "Detects River Lethe variant"
+        author      = "rf-peixoto"
+        reference   = "github.com/rf-peixoto/Graverobber"
+        confidence  = "high"
+
+    strings:
+        $s_title   = "River Lethe" ascii
+        $s_msg1    = "Everything you had is lost in oblivion." ascii
+        $s_msg2    = "Send a signal to EMAIL and we will to guide you in this journey." ascii
+        $s_btc     = "BTC Address" ascii
+        $s_blox    = "from bloxplorer import bitcoin_explorer" ascii
+        $s_form1   = "http://127.0.0.1/file_form.php" ascii
+        $s_form2   = "http://{0}.com/file_form.php" ascii
+        $s_ping    = "ping -c 1 " ascii
+
+    condition:
+        all of ($s_title, $s_msg1, $s_msg2)
+        and $s_blox and $s_btc
+        and any of ($s_form1, $s_form2)
+        and $s_ping and $s_fileup
+}