nuclei-templates/file/malware/hash/purplewave-malware-hash.yaml

id: purplewave-malware-hash
info:
  name: PurpleWave v1.0 Malware Hash - Detect
  author: pussycat0x
  severity: info
  reference:
    - https://twitter.com/3xp0rtblog/status/1289125217751781376
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PurpleWave.yar
  tags: malware,apt,purplewave

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'"
          - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'"
          - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'"
          - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'"
          - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'"
          - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'"
          - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'"
          - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'"
          - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'"
        condition: or
# digest: 490a004630440220697b99b706d2c5ba4e36e75d5cf9bc86654026c6b0ab367ed181f996e5b5a58e02202019b64c704f7e41def665c872f5523cf264b9ec55374ff62128cabad12eb9d3:922c64590222798bb761d5b6d8e72950
New - Templates 2024-06-20 09:42:34 +00:00			`id: purplewave-malware-hash`
			`info:`
			`name: PurpleWave v1.0 Malware Hash - Detect`
			`author: pussycat0x`
			`severity: info`
			`reference:`
			`- https://twitter.com/3xp0rtblog/status/1289125217751781376`
			`- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PurpleWave.yar`
fixed yaml validation errors 2024-06-25 09:56:35 +00:00			`tags: malware,apt,purplewave`
New - Templates 2024-06-20 09:42:34 +00:00
			`file:`
update 2024-06-20 12:38:35 +00:00			`- extensions:`
			`- all`
New - Templates 2024-06-20 09:42:34 +00:00
minor - changes 2024-06-20 13:16:17 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'"`
			`- "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'"`
			`- "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'"`
			`- "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'"`
			`- "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'"`
			`- "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'"`
			`- "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'"`
			`- "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'"`
			`- "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'"`
			`condition: or`
Auto Template Signing [Tue Jun 25 10:31:23 UTC 2024] :robot: 2024-06-25 10:31:23 +00:00			`# digest: 490a004630440220697b99b706d2c5ba4e36e75d5cf9bc86654026c6b0ab367ed181f996e5b5a58e02202019b64c704f7e41def665c872f5523cf264b9ec55374ff62128cabad12eb9d3:922c64590222798bb761d5b6d8e72950`