From 55e140f198a2eef004ec3852adf896b2dcdf871b Mon Sep 17 00:00:00 2001
From: Bart P <bartblaze@gmail.com>
Date: Wed, 20 Mar 2024 20:14:05 +0100
Subject: [PATCH] Create PureZip.yar

---
 rules/crimeware/PureZip.yar | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/crimeware/PureZip.yar

diff --git a/rules/crimeware/PureZip.yar b/rules/crimeware/PureZip.yar
new file mode 100644
index 0000000..ccc46f4
--- /dev/null
+++ b/rules/crimeware/PureZip.yar
@@ -0,0 +1,26 @@
+rule PureZip
+{
+    meta:
+        id = "3irhYCOx5n1gPEoxWCpDiE"
+        fingerprint = "c713faeaeb58701fd04353ef6fd17e4677da735318c43658d62242cd2ca3718d"
+        version = "1.0"
+        date = "2024-03-20"
+        modified = "2024-03-20"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies ZIP files with a hidden file named '__.exe', as seen in a massive PureCrypt campaign in Q1 2024."
+        category = "MALWARE"
+        malware = "Pure"
+        malware_family= "INFOSTEALER"
+        hash = "ff668ef41336749df82e897c36b1438da1a21b1816716b30183024a8b62342a2"
+
+strings:
+    //This pattern is always the same. ZIP is sometimes password-protected. But typically 2 files, where __.exe is a hidden file.
+    //These are all PureCrypt samples, but may drop anything from PureLogs to Agent Tesla to RedLine to...
+    $exe = {5F 5F 2E 65 78 65} //__.exe
+
+condition:
+    uint16(0) == 0x4b50 and $exe in (filesize-300..filesize)
+}