Skip to content
/ DragonForceRansomwareYARA Public

πŸ” YARA rules for identifying DragonForce ransomware samples. Generated using yarGen from known malicious executables on MalwareBazaar. Includes both raw and cleaned rulesets, plus sample hashes for analysis.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

petstuk/DragonForceRansomwareYARA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

6 Commits
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
dragonforce_clean.yar
dragonforce_clean.yar
Β 
Β 
dragonforce_hashes.txt
dragonforce_hashes.txt
Β 
Β 
dragonforce_raw.yar
dragonforce_raw.yar
Β 
Β 

Repository files navigation

πŸ‰ DragonForceRansomWareYARA

This repository contains YARA rules generated from known DragonForce ransomware samples, collected from MalwareBazaar in June 2025.

The rules were created using yarGen β€” a YARA rule generator developed by Florian Roth β€” to help identify and classify binaries associated with DragonForce ransomware operations.

πŸ“ Repository Contents

  • dragonforce_raw.yar
    The initial YARA ruleset generated from 13 DragonForce ransomware samples. This ruleset includes all extracted string indicators, including common Windows APIs and DLLs.

  • dragonforce_clean.yar
    A cleaned YARA ruleset generated with the --excludegood flag. This version filters out generic strings found in benign software, reducing false positives and improving detection fidelity.

  • dragonforce_hashes.txt
    A list of SHA-256 file hashes for the DragonForce ransomware samples used to generate the rules. These hashes can be submitted to VirusTotal or other threat intel platforms for further analysis.

πŸ§ͺ How the Rules Were Created

  1. All ransomware PE (.exe) files tagged DragonForce were downloaded from MalwareBazaar.

  2. Files were organized in:

    dragonforce_hashes.txt

  3. Two YARA rulesets were generated using yarGen:

    # Full ruleset (including common APIs)
dragonforce_raw.yar

# Clean ruleset (excluding goodware-related strings)
dragonforce_clean.yar

🧠 About DragonForce

DragonForce began as a pro-Palestine hacktivist group in 2023, later transitioning into a financially motivated ransomware operation. The group has been associated with high-profile attacks and employs tactics such as phishing, red team frameworks, and double extortion ransomware deployment.

More information is available in the associated blog post.

πŸ“Œ Usage

These rules are intended for:

  • Threat hunting
  • Malware triage
  • Incident response
  • Sandboxing and sample classification

They can be used with tools like:

  • YARA CLI
  • VirusTotal Intelligence
  • Hybrid Analysis / Triage
  • AnyRun
  • Cuckoo Sandbox

πŸ“„ License

These rules are shared under the MIT License and are intended for research and educational use only. Attribution appreciated.

πŸ“¬ Contact

For feedback, contributions, or questions, feel free to reach out via GitHub Issues or open a pull request.

About

πŸ” YARA rules for identifying DragonForce ransomware samples. Generated using yarGen from known malicious executables on MalwareBazaar. Includes both raw and cleaned rulesets, plus sample hashes for analysis.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages