2024-06-20 09:42:34 +00:00
|
|
|
id: wildneutron-malware-hash
|
|
|
|
|
info:
|
|
|
|
|
name: WildNeutron APT Sample Hash - Detect
|
|
|
|
|
author: pussycat0x
|
2024-06-20 09:59:08 +00:00
|
|
|
severity: info
|
2024-06-20 09:42:34 +00:00
|
|
|
description: |
|
|
|
|
|
Wild Neutron APT Sample Rule based on file hash
|
|
|
|
|
reference: |
|
|
|
|
|
- https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
|
|
|
|
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_WildNeutron.yar
|
|
|
|
|
tags: malware,wildneutron,apt
|
|
|
|
|
|
|
|
|
|
file:
|
|
|
|
|
extensions:
|
|
|
|
|
- all
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
type: dsl
|
|
|
|
|
dsl:
|
|
|
|
|
- "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'"
|
|
|
|
|
- "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'"
|
|
|
|
|
- "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'"
|
|
|
|
|
- "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'"
|
|
|
|
|
- "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'"
|
|
|
|
|
- "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'"
|
|
|
|
|
- "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'"
|
|
|
|
|
- "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'"
|
|
|
|
|
- "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'"
|
|
|
|
|
- "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'"
|
|
|
|
|
- "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'"
|
|
|
|
|
condition: or
|
