diff --git a/file/malware/hash/blackenergy-driver-amdide-hash.yaml b/file/malware/hash/blackenergy-driver-amdide-hash.yaml index 80eea4d57a..1416dfb755 100644 --- a/file/malware/hash/blackenergy-driver-amdide-hash.yaml +++ b/file/malware/hash/blackenergy-driver-amdide-hash.yaml @@ -3,7 +3,7 @@ info: name: Blackenergy-Driver Amdide Hash - Detect description: | Detects the AMDIDE driver from BlackEnergy malware - reference: + reference: - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ tag: malware,blackenergy diff --git a/file/malware/hash/blackenergy-killdisk-malware-hash.yaml b/file/malware/hash/blackenergy-killdisk-malware-hash.yaml index 4896d043f0..65d90a1035 100644 --- a/file/malware/hash/blackenergy-killdisk-malware-hash.yaml +++ b/file/malware/hash/blackenergy-killdisk-malware-hash.yaml @@ -19,4 +19,4 @@ file: - "sha256(raw) == '5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6'" - "sha256(raw) == 'c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d'" - "sha256(raw) == 'f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95'" - condition: or \ No newline at end of file + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-gh0st-malware.yaml b/file/malware/hash/codoso-gh0st-malware.yaml index 976e2255a8..51dbbc7495 100644 --- a/file/malware/hash/codoso-gh0st-malware.yaml +++ b/file/malware/hash/codoso-gh0st-malware.yaml @@ -3,7 +3,7 @@ info: name: Codoso APT Gh0st Malware Hash - Detect author: pussycat0x severity: info - reference: + reference: - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar tags: malware,apt,codoso diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml index 4927e17366..dad250bf30 100644 --- a/file/malware/hash/codoso-pgv-malware-hash.yaml +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -20,4 +20,5 @@ file: - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" - - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" \ No newline at end of file + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-plugx-malware-hash.yaml b/file/malware/hash/codoso-plugx-malware-hash.yaml index 6f28c6c836..f0884b566b 100644 --- a/file/malware/hash/codoso-plugx-malware-hash.yaml +++ b/file/malware/hash/codoso-plugx-malware-hash.yaml @@ -5,7 +5,7 @@ info: severity: info description: | Detects Codoso APT PlugX Malware. - reference: + reference: - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar tags: malware,apt,codoso diff --git a/file/malware/hash/ironPanda-htran-malware-hash.yaml b/file/malware/hash/ironPanda-htran-malware-hash.yaml index 9044c3a27e..3a237e8ca3 100644 --- a/file/malware/hash/ironPanda-htran-malware-hash.yaml +++ b/file/malware/hash/ironPanda-htran-malware-hash.yaml @@ -1,4 +1,4 @@ -id: ironPanda-htran-malware-hash +id: ironpanda-htran-malware-hash info: name: Iron Panda Malware Htran Hash - Detect author: pussycat0x @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" - + - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml index 78ce70e8ad..696a548481 100644 --- a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml +++ b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" - + - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file diff --git a/file/malware/hash/locky-ransomware-hash.yaml b/file/malware/hash/locky-ransomware-hash.yaml index 05dca81de7..0e90f1e79e 100644 --- a/file/malware/hash/locky-ransomware-hash.yaml +++ b/file/malware/hash/locky-ransomware-hash.yaml @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" - + - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file diff --git a/file/malware/hash/passcv-signingcert-malware-hash.yaml b/file/malware/hash/passcv-signingcert-malware-hash.yaml index 665d68140e..d2f38966aa 100644 --- a/file/malware/hash/passcv-signingcert-malware-hash.yaml +++ b/file/malware/hash/passcv-signingcert-malware-hash.yaml @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" - + - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file diff --git a/file/malware/hash/red-leaves-malware-hash.yaml b/file/malware/hash/red-leaves-malware-hash.yaml index b131749599..06a4716156 100644 --- a/file/malware/hash/red-leaves-malware-hash.yaml +++ b/file/malware/hash/red-leaves-malware-hash.yaml @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" - + - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file diff --git a/file/malware/hash/revil-ransomware-hash.yaml b/file/malware/hash/revil-ransomware-hash.yaml index 9d6c61a8fa..61adf28cd9 100644 --- a/file/malware/hash/revil-ransomware-hash.yaml +++ b/file/malware/hash/revil-ransomware-hash.yaml @@ -4,7 +4,7 @@ info: author: pussycat0x severity: info description: - Detect Revil Ransomware. + Detect Revil Ransomware. reference: - https://angle.ankura.com/post/102hcny/revix-linux-ransomware - https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Revix.yar diff --git a/file/malware/hash/rokrat-malware-hash.yaml b/file/malware/hash/rokrat-malware-hash.yaml index a531c05afa..e87b5e645e 100644 --- a/file/malware/hash/rokrat-malware-hash.yaml +++ b/file/malware/hash/rokrat-malware-hash.yaml @@ -2,7 +2,7 @@ id: rokrat-malware-hash info: name: ROKRAT Loader Malware Hash- Detect author: pussycat0x - severity: info + severity: info description: | Designed to catch loader observed used with ROKRAT malware reference: diff --git a/file/malware/hash/seaduke-malware-hash.yaml b/file/malware/hash/seaduke-malware-hash.yaml index 183975b755..42ed6c7871 100644 --- a/file/malware/hash/seaduke-malware-hash.yaml +++ b/file/malware/hash/seaduke-malware-hash.yaml @@ -15,5 +15,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" - + - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file diff --git a/file/malware/hash/sofacy-Winexe-malware-hash.yaml b/file/malware/hash/sofacy-Winexe-malware-hash.yaml index d11191b9e4..90dd6d8329 100644 --- a/file/malware/hash/sofacy-Winexe-malware-hash.yaml +++ b/file/malware/hash/sofacy-Winexe-malware-hash.yaml @@ -1,4 +1,4 @@ -id: sofacy-Winexe-malware-hash +id: sofacy-winexe-malware-hash info: name: Sofacy Group Winexe Tool Hash - Detect author: pussycat0x diff --git a/file/malware/hash/sofacy-bundestag-malware-hash.yaml b/file/malware/hash/sofacy-bundestag-malware-hash.yaml index 3b424a0a15..7d27e960c4 100644 --- a/file/malware/hash/sofacy-bundestag-malware-hash.yaml +++ b/file/malware/hash/sofacy-bundestag-malware-hash.yaml @@ -19,4 +19,4 @@ file: dsl: - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" - condition: or + condition: or diff --git a/file/malware/hash/turla-malware-hash.yaml b/file/malware/hash/turla-malware-hash.yaml index 29a0af280a..de64dd35bc 100644 --- a/file/malware/hash/turla-malware-hash.yaml +++ b/file/malware/hash/turla-malware-hash.yaml @@ -2,7 +2,7 @@ id: turla-malware-hash info: name: Turla APT Malware - Detect author: pussycat0x - severity: info + severity: info description: Detects Turla malware based on sample used in the RUAG APT case reference: | https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case @@ -26,4 +26,4 @@ file: - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" - condition: or + condition: or \ No newline at end of file diff --git a/file/malware/hash/wildneutron-malware-hash.yaml b/file/malware/hash/wildneutron-malware-hash.yaml index b3c9b242b0..1c1a5cfd67 100644 --- a/file/malware/hash/wildneutron-malware-hash.yaml +++ b/file/malware/hash/wildneutron-malware-hash.yaml @@ -2,7 +2,7 @@ id: wildneutron-malware-hash info: name: WildNeutron APT Sample Hash - Detect author: pussycat0x - severity: info + severity: info description: | Wild Neutron APT Sample Rule based on file hash reference: |