lint -fix
pussycat0x
parent
8d64f7f297
commit
0c5631b963
|
|
@ -3,7 +3,7 @@ info:
|
|||
name: Blackenergy-Driver Amdide Hash - Detect
|
||||
description: |
|
||||
Detects the AMDIDE driver from BlackEnergy malware
|
||||
reference:
|
||||
reference:
|
||||
- http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
|
||||
tag: malware,blackenergy
|
||||
|
||||
|
|
|
|||
|
|
@ -19,4 +19,4 @@ file:
|
|||
- "sha256(raw) == '5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6'"
|
||||
- "sha256(raw) == 'c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d'"
|
||||
- "sha256(raw) == 'f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95'"
|
||||
condition: or
|
||||
condition: or
|
||||
|
|
@ -3,7 +3,7 @@ info:
|
|||
name: Codoso APT Gh0st Malware Hash - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
reference:
|
||||
reference:
|
||||
- https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
|
||||
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
|
||||
tags: malware,apt,codoso
|
||||
|
|
|
|||
|
|
@ -20,4 +20,5 @@ file:
|
|||
- "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
|
||||
- "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'"
|
||||
- "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'"
|
||||
- "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
|
||||
- "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
|
||||
condition: or
|
||||
|
|
@ -5,7 +5,7 @@ info:
|
|||
severity: info
|
||||
description: |
|
||||
Detects Codoso APT PlugX Malware.
|
||||
reference:
|
||||
reference:
|
||||
- https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
|
||||
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
|
||||
tags: malware,apt,codoso
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: ironPanda-htran-malware-hash
|
||||
id: ironpanda-htran-malware-hash
|
||||
info:
|
||||
name: Iron Panda Malware Htran Hash - Detect
|
||||
author: pussycat0x
|
||||
|
|
@ -17,5 +17,4 @@ file:
|
|||
matchers:
|
||||
type: dsl
|
||||
dsl:
|
||||
- "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'"
|
||||
|
||||
- "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'"
|
||||
|
|
@ -17,5 +17,4 @@ file:
|
|||
matchers:
|
||||
type: dsl
|
||||
dsl:
|
||||
- "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'"
|
||||
|
||||
- "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'"
|
||||
|
|
@ -17,5 +17,4 @@ file:
|
|||
matchers:
|
||||
type: dsl
|
||||
dsl:
|
||||
- "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'"
|
||||
|
||||
- "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'"
|
||||
|
|
@ -17,5 +17,4 @@ file:
|
|||
matchers:
|
||||
type: dsl
|
||||
dsl:
|
||||
- "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'"
|
||||
|
||||
- "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'"
|
||||
|
|
@ -17,5 +17,4 @@ file:
|
|||
matchers:
|
||||
type: dsl
|
||||
dsl:
|
||||
- "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'"
|
||||
|
||||
- "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'"
|
||||
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: pussycat0x
|
||||
severity: info
|
||||
description:
|
||||
Detect Revil Ransomware.
|
||||
Detect Revil Ransomware.
|
||||
reference:
|
||||
- https://angle.ankura.com/post/102hcny/revix-linux-ransomware
|
||||
- https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Revix.yar
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: rokrat-malware-hash
|
|||
info:
|
||||
name: ROKRAT Loader Malware Hash- Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
severity: info
|
||||
description: |
|
||||
Designed to catch loader observed used with ROKRAT malware
|
||||
reference:
|
||||
|
|
|
|||
|
|
@ -15,5 +15,4 @@ file:
|
|||
matchers:
|
||||
type: dsl
|
||||
dsl:
|
||||
- "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'"
|
||||
|
||||
- "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'"
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: sofacy-Winexe-malware-hash
|
||||
id: sofacy-winexe-malware-hash
|
||||
info:
|
||||
name: Sofacy Group Winexe Tool Hash - Detect
|
||||
author: pussycat0x
|
||||
|
|
|
|||
|
|
@ -19,4 +19,4 @@ file:
|
|||
dsl:
|
||||
- "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'"
|
||||
- "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'"
|
||||
condition: or
|
||||
condition: or
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: turla-malware-hash
|
|||
info:
|
||||
name: Turla APT Malware - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
severity: info
|
||||
description: Detects Turla malware based on sample used in the RUAG APT case
|
||||
reference: |
|
||||
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
|
||||
|
|
@ -26,4 +26,4 @@ file:
|
|||
- "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'"
|
||||
- "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'"
|
||||
- "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'"
|
||||
condition: or
|
||||
condition: or
|
||||
|
|
@ -2,7 +2,7 @@ id: wildneutron-malware-hash
|
|||
info:
|
||||
name: WildNeutron APT Sample Hash - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
severity: info
|
||||
description: |
|
||||
Wild Neutron APT Sample Rule based on file hash
|
||||
reference: |
|
||||
|
|
|
|||
Loading…
Reference in New Issue