{ "type": "bundle", "id": "bundle--7f0703e9-afad-4a99-ab83-edf535af02e7", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--0477fe22-5e88-4b44-8d73-c5e43c65d520", "created": "2023-03-08T12:51:45.70432Z", "modified": "2023-03-08T12:51:45.704399Z", "name": "Stairwell", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--ec2ea5fb-e5e9-4d4e-b0af-8e58c4d62b9c", "hashes": { "SHA-256": "5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fcc29129-e02f-4697-8aba-b1bb5267af3a", "created": "2026-06-24T19:42:40.818179Z", "modified": "2026-06-24T19:42:40.818179Z", "name": "YARA Rule", "pattern": "rule MauiRansomware\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler (Silas@Stairwell.com)\"\r\ndescription = \"Detection for Maui Ransomware\"\r\nversion = \"0.1\"\r\nstrings:\r\n$ = \"Unable to read public key info.\" wide\r\n$ = \"it by using -maui option.\" wide\r\n$ = \"Incompatible public key version.\" wide\r\n$ = \"maui.key\" wide\r\n$ = \"maui.evd\" wide\r\n$ = \"Unable to encrypt private key\" wide\r\n$ = \"Unable to create evidence file\" wide\r\n$ = \"PROCESS_GOINGON[%d%% / %d%%]: %s\" wide\r\n$ = \"demigod.key\" wide\r\n$ = \"Usage: maui [-ptx] [PATH]\" wide\r\n$ = \"-p dir: Set Log Directory (Default: Current Directory)\" wide\r\n$ = \"-t n:\r\nSet Thread Count (Default: 1)\" wide\r\n$ = \"-x:\r\nSelf Melt (Default: No)\" wide\r\n// File header loading (x32-bit)\r\n$ = { 44 24 24 44 49 56 45 ?? 44 24 28 01 00 00 00 ?? 44 24 2C 10 00 00 00 }\r\n$ = { 44 4F 47 44 ?? ?? 04 01 00 00 00 }\r\ncondition:\r\n3 of them or\r\n(\r\nuint32(filesize-8) == 0x00000001 and\r\nuint32(filesize-12) == 0x5055424B\r\n)\r\n}", "pattern_type": "yara", "valid_from": "2022-07-06T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--868ee599-96dc-4f8c-a4d6-91ffdc939a6b", "hashes": { "MD5": "830207029d83fd46a4a89cd623103ba2" } }, { "type": "file", "spec_version": "2.1", "id": "file--219d8532-53c0-4620-8f7f-36765149ad4b", "hashes": { "MD5": "321b866428aa04360376e6a390063570" } }, { "type": "file", "spec_version": "2.1", "id": "file--30cf655d-4e0d-4256-a2d1-49561bc1b33d", "hashes": { "MD5": "d769dee48150616753fec4d6da16e99e" } }, { "type": "file", "spec_version": "2.1", "id": "file--4276a1a5-d4d9-4aab-a823-5beea6d2ae46", "hashes": { "MD5": "5b7ecf7e9d0715f1122baf4ce745c5fc" } }, { "type": "file", "spec_version": "2.1", "id": "file--265be0d2-1235-4192-81fe-62dbea8798a4", "hashes": { "MD5": "45d8ac1ac692d6bb0fe776620371fca0" } }, { "type": "file", "spec_version": "2.1", "id": "file--71a68ff6-bf35-4868-abf5-bc757d2ff6b7", "hashes": { "MD5": "2b60cac8db23c4cc7ab5df262da42b78" } }, { "type": "report", "spec_version": "2.1", "id": "report--2297d5f3-1d3f-46c9-91b9-5e1a8d935664", "created_by_ref": "identity--0477fe22-5e88-4b44-8d73-c5e43c65d520", "created": "2026-06-24T19:42:40.825991Z", "modified": "2026-06-24T19:42:40.825991Z", "name": "Maui ransomware", "published": "2022-07-06T00:00:00Z", "object_refs": [ "identity--0477fe22-5e88-4b44-8d73-c5e43c65d520", "file--ec2ea5fb-e5e9-4d4e-b0af-8e58c4d62b9c", "indicator--fcc29129-e02f-4697-8aba-b1bb5267af3a", "file--868ee599-96dc-4f8c-a4d6-91ffdc939a6b", "file--219d8532-53c0-4620-8f7f-36765149ad4b", "file--30cf655d-4e0d-4256-a2d1-49561bc1b33d", "file--4276a1a5-d4d9-4aab-a823-5beea6d2ae46", "file--265be0d2-1235-4192-81fe-62dbea8798a4", "file--71a68ff6-bf35-4868-abf5-bc757d2ff6b7" ], "external_references": [ { "source_name": "source", "url": "https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf" } ] } ] }