nuclei-templates/file/malware/hash/flipflop-malware-hash.yaml

22 lines
1.1 KiB
YAML
Raw Normal View History

2024-06-20 09:42:34 +00:00
id: flipflop-ldr-malware-hash
2024-06-19 10:13:35 +00:00
info:
2024-06-20 09:42:34 +00:00
name: Flipflop Loader Hash - Detect
2024-06-19 10:13:35 +00:00
author: pussycat0x
severity: info
description: A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.
reference:
- https://github.com/volexity/threat-intel/blob/main/2021/2021-05-27%20-%20Suspected%20APT29%20Operation%20Launches%20Election%20Fraud%20Themed%20Phishing%20Campaigns/indicators/yara.yar
tags: malware,apt29,cobaltstrike
file:
- extensions:
- all
matchers:
- type: dsl
dsl:
- "sha256(raw) == 'ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330'"
- "sha256(raw) == 'b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c'"
- "sha256(raw) == 'ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c'"
condition: or
# digest: 4b0a00483046022100898dba3d21d00acd15b0d9328ff3c9b58792f741caff519072c7a6649f37a2bb022100980b0d759b9d2b8464858ecaa9bb3f65db5588bd5dccacf73ad8e95beb6ba0a7:922c64590222798bb761d5b6d8e72950