New - Templates

file/malware/hash/anthem-deeppanda-malware-hash.yaml

@@ -0,0 +1,21 @@
+id: anthem-deeppanda-malware-hash
+info:
+  name: Anthem DeepPanda Trojan Kakfum Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll
+  reference:
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_DeepPanda_Anthem.yar
+  tags: malware,deeppanda
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'"
+      - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'"
+    condition: or

file/malware/hash/applejeus-malware-hash.yaml

@@ -1,6 +1,6 @@
-id: applejeus-malware
+id: applejeus-malware-hash
 info:
-  name: AppleJeus Malware - Detect
+  name: AppleJeus Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: Detects AppleJeus DLL samples

file/malware/hash/avburner-malware-hash.yaml

@@ -1,6 +1,6 @@
-id: avburner-malware
+id: avburner-malware-hash
 info:
-  name: AVBurner Malware - Detect
+  name: AVBurner Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: Detects AVBurner based on a combination of API calls used, hard-coded strings, and bytecode patterns

file/malware/hash/backwash-malware-hash.yaml

@@ -1,9 +1,10 @@
-id: backwash-malware
+id: backwash-malware-hash
 info:
-  name: Backwash Malware - Detect
+  name: Backwash Malware Hash - Detect
   author: pussycat0x
   severity: info
-  description: CPP loader for the Backwash malware.
+  description: |
+    CPP loader for the Backwash malware.
   reference:
     - https://github.com/volexity/threat-intel/blob/main/2021/2021-12-06%20-%20XEGroup/indicators/yara.yar
     - https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/

file/malware/hash/blackenergy-driver-amdide-hash.yaml

@@ -0,0 +1,24 @@
+id: blackenergy-driver-amdide-hash
+info:
+  name: Blackenergy-Driver Amdide Hash - Detect
+  description: |
+    Detects the AMDIDE driver from BlackEnergy malware
+  reference: 
+    - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
+  tag: malware,blackenergy
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'"
+      - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'"
+      - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'"
+      - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'"
+      - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'"
+      - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'"
+      - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'"
+    condition: or

file/malware/hash/blackenergy-driver-malware-hash.yaml

@@ -0,0 +1,26 @@
+id: blackenergy-driver-malware-hash
+info:
+  name: BlackEnergy Driver USBMDM Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Auto-generated rule - detects BlackEnergy Driver USBMDM malware
+  reference:
+    - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry
+  tags: malware,blackenergy
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'"
+      - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'"
+      - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'"
+      - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'"
+      - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'"
+      - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'"
+      - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'"
+      - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'"
+    condition: or

file/malware/hash/blackenergy-killdisk-malware-hash.yaml

@@ -0,0 +1,22 @@
+id: blackenergy-killdisk-malware-hash
+info:
+  name: BlackEnergy KillDisk Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Detects KillDisk malware from BlackEnergy
+  reference:
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar
+  tags: malware,blackenergy
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "sha256(raw) == '11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80'"
+          - "sha256(raw) == '5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6'"
+          - "sha256(raw) == 'c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d'"
+          - "sha256(raw) == 'f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95'"
+        condition: or    

file/malware/hash/blackenergy-ssh-malware-hash.yaml

@@ -0,0 +1,18 @@
+id: blackenergy-ssh-malware-hash
+info:
+  name: BlackEnergy BackdoorPass DropBear SSH Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Detects the password of the backdoored DropBear SSH Server - BlackEnergy
+  reference:
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar
+  tags: malware,blackenergy
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "sha256(raw) == '0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd'"

file/malware/hash/blackenergy-vbs-malware-hash.yaml

@@ -0,0 +1,20 @@
+id: blackenergy-vbs-malware-hash
+info:
+  name: BlackEnergy VBS Agent Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs
+  reference:
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar
+  tags: malware,blackenergy
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "sha256(raw) == 'b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f'"
+          - "sha256(raw) == '0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd'"
+        condition: or

file/malware/hash/bluelight-malware-hash.yaml

@@ -1,6 +1,6 @@
-id: bluelight-malware
+id: bluelight-malware-hash
 info:
-  name: bluelight Malware - Detect
+  name: bluelight Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: North Korean origin malware which uses a custom Google App for C2 communications.

file/malware/hash/bluetermite-emdivi-malware-hash.yaml

@@ -0,0 +1,33 @@
+id: bluetermite-emdivi-malware-hash
+info:
+  name: Bluetermite Emdivi Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference:
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Bluetermite_Emdivi.yar
+    - https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/
+  tags: malware,bluetermite
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'"
+      - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'"
+      - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'"
+      - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'"
+      - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'"
+      - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'"
+      - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'"
+      - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'"
+      - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'"
+      - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'"
+      - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'"
+      - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'"
+      - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'"
+      - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'"
+      - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'"
+    condition: or

file/malware/hash/bluetermite-emdivi-sfx-hash.yaml

@@ -0,0 +1,20 @@
+id: bluetermite-emdivi-sfx-hash
+info:
+  name: Bluetermite Emdivi SFX Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference:
+    - https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Bluetermite_Emdivi.yar
+  tags: malware,bluetermite
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'"
+      - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'"
+    condition: or

file/malware/hash/charmingcypress-malware-hash.yaml

@@ -1,11 +1,11 @@
-id: charmingcypress-malware
+id: charmingcypress-malware-hash
 info:
-  name: CharmingCypress Malware - Detect
+  name: CharmingCypress Malware Hash - Detect
   author: pussycat0x
   severity: info
   reference:
     - https://github.com/volexity/threat-intel/blob/main/2024/2024-02-13%20CharmingCypress/rules.yar
-  tags: malware
+  tags: malware,cypress
 
 file:
   - extensions:

file/malware/hash/cheshirecat-malware-hash.yaml

@@ -0,0 +1,22 @@
+id: cheshirecat-malware-hash
+info:
+  name: CheshireCat Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference:
+    - https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar
+  tags: malware,apt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'"
+      - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'"
+      - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'"
+      - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'"
+    condition: or

file/malware/hash/cloudduke-malware-hash.yaml

@@ -0,0 +1,33 @@
+id: cloudduke-malware-hash
+info:
+  name: CloudDuke Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference:
+    - https://www.f-secure.com/weblog/archives/00002822.html
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar
+  tags: malware,apt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
+      - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
+      - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'"
+      - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
+      - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'"
+      - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
+      - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'"
+      - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
+      - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'"
+      - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
+      - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
+      - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'"
+      - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
+      - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
+      - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'"
+    condition: or

file/malware/hash/codoso-gh0st-malware.yaml

@@ -0,0 +1,22 @@
+id: codoso-gh0st-malware
+info:
+  name: Codoso APT Gh0st Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference: 
+    - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
+  tags: malware,apt,codoso
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'"
+      - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'"
+      - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'"
+      - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'"
+    condition: or

file/malware/hash/codoso-malware-hash.yaml

@@ -0,0 +1,26 @@
+id: codoso-malware-hash
+info:
+  name: Codoso APT Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects Codoso APT Malware.
+  reference:
+    - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
+  tags: malware,apt,codoso
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'"
+      - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'"
+      - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'"
+      - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'"
+      - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'"
+      - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'"
+    condition: or

file/malware/hash/codoso-pgv-malware-hash.yaml

@@ -0,0 +1,23 @@
+id: codoso-pgv-malware-hash
+info:
+  name: Codoso APT PGV_PVID Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects Codoso APT PGV_PVID Malware
+  reference: 
+    - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
+  tags: malware,apt,codoso
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
+      - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'"
+      - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'"
+      - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"

file/malware/hash/codoso-plugx-malware-hash.yaml

@@ -0,0 +1,24 @@
+id: codoso-plugx-malware-hash
+info:
+  name: Codoso APT PlugX Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects Codoso APT PlugX Malware.
+  reference: 
+    - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
+  tags: malware,apt,codoso
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'"
+      - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'"
+      - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'"
+      - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'"
+    condition: or

file/malware/hash/disgomoji-malware-hash.yaml

@@ -1,12 +1,12 @@
-id: disgomoji-malware
+id: disgomoji-malware-hash
 info:
-  name: DISGOMOJI Malware - Detect
+  name: DISGOMOJI Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: Detects DISGOMOJI modules based on strings in the ELF.
   reference:
     - https://github.com/volexity/threat-intel/blob/main/2024/2024-06-13%20DISGOMOJI/indicators/rules.yar
-  tags: malware
+  tags: malware,disgomoji
 
 file:
   - extensions:

file/malware/hash/dubnium-malware-hash.yaml

@@ -0,0 +1,43 @@
+id: dubnium-malware-hash
+info:
+  name: Dubnium Malware Hash - Detect
+  author: pussycat0x
+  description: |
+    Detects sample mentioned in the Dubnium Report
+  reference:
+    - https://goo.gl/AW9Cuu
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Dubnium.yar
+  tags: malware,dubnium
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
+      - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'"
+      - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'"
+      - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'"
+      - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'"
+      - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'"
+      - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'"
+      - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
+      - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'"
+      - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'"
+      - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'"
+      - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'"
+      - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'"
+      - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
+      - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'"
+      - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'"
+      - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'"
+      - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'"
+      - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'"
+      - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
+      - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'"
+      - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'"
+      - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'"
+      - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'"
+    condition: or

file/malware/hash/dubnium-sshopenssl-malware-hash.yaml

@@ -0,0 +1,25 @@
+id: dubnium-sshopenssl-malware-hash
+info:
+  name: Dubnium Sample SSHOpenSSL Hash - Detect
+  author: pussycat0x
+  description: |
+    Detects sample mentioned in the Dubnium Report
+  reference:
+    - https://goo.gl/AW9Cuu
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Dubnium.yar
+  tags: malware,Dubnium,apt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'"
+      - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'"
+      - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'"
+      - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'"
+      - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'"
+      - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'"
+    condition: or

file/malware/hash/emissary-malware-hash.yaml

@@ -0,0 +1,32 @@
+id: emissary-malware-hash
+info:
+  name: Emissary APT Malware Hash - Detect
+  author: pussycat0x
+  description: |
+    Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll
+  reference:
+    - http://goo.gl/V0epcf
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Emissary.yar
+  tags: malware,emissary,apt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'"
+      - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'"
+      - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'"
+      - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'"
+      - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'"
+      - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'"
+      - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'"
+      - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'"
+      - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'"
+      - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'"
+      - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'"
+      - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'"
+      - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'"
+    condition: or

file/malware/hash/evilbamboo-malware-hash.yaml

@@ -1,6 +1,6 @@
-id: evilbamboo-malware
+id: evilbamboo-malware-hash
 info:
-  name: EvilBamboo Malware - Detect
+  name: EvilBamboo Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: |

file/malware/hash/fakem-malware-hash.yaml

@@ -0,0 +1,30 @@
+id: fakem-malware-hash
+info:
+  name: FakeM_Generic Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects FakeM malware samples
+  reference:
+    - http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FakeM.yar
+  tags: malware,apt,fakem
+
+file:
+  extensions:
+    - all
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'"
+      - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'"
+      - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'"
+      - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'"
+      - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'"
+      - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'"
+      - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'"
+      - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'"
+      - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'"
+      - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'"
+      - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'"
+    condition: or

file/malware/hash/flipflop-malware-hash.yaml

@@ -1,6 +1,6 @@
-id: flipflop-ldr-malware
+id: flipflop-ldr-malware-hash
 info:
-  name: Flipflop Loader - Detect
+  name: Flipflop Loader Hash - Detect
   author: pussycat0x
   severity: info
   description: A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.

file/malware/hash/furtim-malware-hash.yaml

@@ -0,0 +1,22 @@
+id: furtim-malware-hash
+info:
+  name: Furtim Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects Furtim Parent Malware.
+  reference:
+    - https://sentinelone.com/blogs/sfg-furtims-parent/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_furtim.yar
+  tags: malware,apt,furtim
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'"
+      - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'"
+    condition: or

file/malware/hash/gimmick-malware-hash.yaml

@@ -1,6 +1,6 @@
-id: gimmick-malware
+id: gimmick-malware-hash
 info:
-  name: GIMMICK Malware - Detect
+  name: GIMMICK Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: Detects the macOS port of the GIMMICK malware.

file/malware/hash/godzilla-webshell-hash.yaml

@@ -1,6 +1,6 @@
-id: godzilla-webshell
+id: godzilla-webshell-hash
 info:
-  name: Godzilla Webshell - Detect
+  name: Godzilla Webshell Hash - Detect
   author: pussycat0x
   severity: info
   description: Detects the JSP implementation of the Godzilla Webshell.

file/malware/hash/greenbug-malware-hash.yaml

@@ -0,0 +1,32 @@
+id: greenbug-malware-hash
+info:
+  name: Greenbug Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects Malware from Greenbug Incident
+  reference:
+    - https://goo.gl/urp4CD
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Greenbug.yar
+  tags: malware,Greenbug
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'"
+      - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'"
+      - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'"
+      - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'"
+      - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'"
+      - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'"
+      - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'"
+      - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'"
+      - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'"
+      - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'"
+      - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'"
+      - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'"
+    condition: or

file/malware/hash/ico-malware-hash.yaml

@@ -1,12 +1,12 @@
-id: ico-malware
+id: ico-malware-hash
 info:
-  name: ICO Malware - Detect
+  name: ICO Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: Detection of malicious ICO files used in 3CX compromise
   reference:
     - https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/indicators/rules.yar
-  tags: malware,UTA0040
+  tags: malware,uta0040
 
 file:
   - extensions:

file/malware/hash/industroyer-malware-hash.yaml

@@ -0,0 +1,28 @@
+id: industroyer-malware-hash
+info:
+  name: Industroyer Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Detects Industroyer related malware
+  reference:
+    - https://goo.gl/x81cSy
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Industroyer.yar
+  tags: malware,industroyer,apt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'"
+      - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'"
+      - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'"
+      - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'"
+      - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'"
+      - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'"
+      - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'"
+      - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'"
+      - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'"
+    condition: or

file/malware/hash/ironPanda-htran-malware-hash.yaml

@@ -0,0 +1,21 @@
+id: ironPanda-htran-malware-hash
+info:
+  name: Iron Panda Malware Htran Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Iron Panda Malware Htran
+  reference:
+    - https://goo.gl/E4qia9
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Irontiger.yar
+  tags: malware,ironpanda
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'"
+

file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml

@@ -0,0 +1,21 @@
+id: ironpanda-dnstunclient-malware-hash
+info:
+  name: Iron Panda malware DnsTunClient Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Iron Panda malware DnsTunClient - file named.exe
+  reference:
+    - https://goo.gl/E4qia9
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Irontiger.yar
+  tags: malware,ironpanda
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'"
+

file/malware/hash/ironpanda-malware-hash.yaml

@@ -0,0 +1,22 @@
+id: ironpanda-malware-hash
+info:
+  name: Iron Panda Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Iron Panda Malware
+  reference:
+    - https://goo.gl/E4qia9
+  tags: malware,IronPanda
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'"
+      - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'"
+      - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'"
+      - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'"
+    condition: or

file/malware/hash/locky-ransomware-hash.yaml

@@ -0,0 +1,21 @@
+id: locky-ransomware-hash
+info:
+  name: Locky Ransomware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects Locky Ransomware (matches also on Win32/Kuluoz)
+  reference:
+    - https://goo.gl/qScSrE
+    - https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
+  tags: ransomware,malware
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'"
+

file/malware/hash/minidionis-readerview-malware-hash.yaml

@@ -0,0 +1,26 @@
+id: minidionis-readerview-malware-hash
+info:
+  name: MiniDionis Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    MiniDionis Malware - file readerView.exe / adobe.exe
+  reference:
+    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar
+  tags: malware,minidionis
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
+      - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
+      - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
+      - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
+      - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'"
+      - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'"
+    condition: or

file/malware/hash/minidionis-vbs-malware-hash.yaml

@@ -0,0 +1,19 @@
+id: minidionis-vbs-malware-hash
+info:
+  name: MiniDionis VBS Dropped File Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Detect Dropped File - 1.vbs
+  reference:
+    - https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar
+  tags: malware,minidionis
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'"

file/malware/hash/naikon-apt-malware-hash.yaml

@@ -0,0 +1,19 @@
+id: naikon-apt-malware-hash
+info:
+  name: Backdoor Naikon APT Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference:
+    - https://goo.gl/7vHyvh
+tags: malware,naikon
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'"
+      - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'"
+    condition: or

file/malware/hash/neuron2-malware-hash.yaml

@@ -0,0 +1,20 @@
+id: neuron2-malware-hash
+info:
+  name: Neuron2 Loader Strings Turla APT loader Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference: |
+    - https://www.ncsc.gov.uk/alerts/turla-group-malware
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_Neuron.yar
+  tags: malware,turla,neuron2,apt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'"
+      - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'"
+    condition: or

file/malware/hash/oilrig-malware-hash.yaml

@@ -0,0 +1,45 @@
+id: oilrig-malware-hash
+info:
+  name: OilRig Malware Campaign Gen1 Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects malware from OilRig Campaign
+  reference:
+    - https://goo.gl/QMRZ8K
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Oilrig.yar
+  tags: malware,oilrig,apt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'"
+      - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'"
+      - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'"
+      - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'"
+      - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'"
+      - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'"
+      - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'"
+      - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'"
+      - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'"
+      - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'"
+      - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'"
+      - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'"
+      - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'"
+      - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'"
+      - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'"
+      - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'"
+      - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'"
+      - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'"
+      - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'"
+      - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'"
+      - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'"
+      - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'"
+      - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'"
+      - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'"
+      - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'"
+    condition: or

file/malware/hash/passcv-ntscan-malware-hash.yaml

@@ -0,0 +1,19 @@
+id: passcv-ntscan-malware-hash
+info:
+  name: PassCV Sabre Tool NTScan Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: PassCV Malware mentioned in Cylance Report
+  reference:
+    - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar
+  tags: malware,passcv
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'"

file/malware/hash/passcv-sabre-malware-hash.yaml

@@ -0,0 +1,29 @@
+id: passcv-sabre-malware-hash
+info:
+  name: PassCV Sabre Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    PassCV Malware mentioned in Cylance Report
+  reference:
+    - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar
+  tags: malware,passcv
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'"
+      - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'"
+      - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'"
+      - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'"
+      - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'"
+      - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'"
+      - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'"
+      - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'"
+      - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'"
+    condition: or

file/malware/hash/passcv-signingcert-malware-hash.yaml

@@ -0,0 +1,21 @@
+id: passcv-signingcert-malware-hash
+info:
+  name: PassCV Sabre Malware Signing Cert Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    PassCV Malware mentioned in Cylance Report
+  reference:
+    - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar
+  tags: malware,passcv
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'"
+

file/malware/hash/petya-ransomware-hash.yaml

@@ -0,0 +1,19 @@
+id: petya-ransomware-hash
+info:
+  name: Petya Ransomware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects Petya Ransomware.
+  reference:
+    - http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html
+tags: ransomware,malware
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'"

file/malware/hash/poseidongroup-maldoc-malware-hash.yaml

@@ -0,0 +1,27 @@
+id: poseidongroup-maldoc-malware-hash
+info:
+  name: Poseidon Group Malicious Word Document Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Detects Poseidon Group - Malicious Word Document
+  reference:
+    - https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Poseidon_Group.yar
+  tags: malware,poseidon
+
+file:
+  extensions:
+    - doc
+    - docx
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'"
+      - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'"
+      - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'"
+      - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'"
+      - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'"
+      - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'"
+      - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'"
+    condition: or

file/malware/hash/poseidongroup-malware-hash.yaml

@@ -0,0 +1,26 @@
+id: poseidongroup-malware-hash
+info:
+  name: Poseidon Group Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Detects Poseidon Group Malware
+  reference:
+    - https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Poseidon_Group.yar
+  tags: malware
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'"
+      - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'"
+      - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'"
+      - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'"
+      - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'"
+      - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'"
+      - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'"
+    condition: or

file/malware/hash/powerstar-malware-hash.yaml

@@ -1,6 +1,6 @@
-id: powerstar-malware
+id: powerstar-malware-hash
 info:
-  name: PowerStar Malware - Detect
+  name: PowerStar Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: Detects the batch script used to persist PowerStar via Startup.

file/malware/hash/purplewave-malware-hash.yaml

@@ -0,0 +1,27 @@
+id: purplewave-malware-hash
+info:
+  name: PurpleWave v1.0 Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference:
+    - https://twitter.com/3xp0rtblog/status/1289125217751781376
+    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PurpleWave.yar
+tags: malware,apt,purplewave
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'"
+      - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'"
+      - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'"
+      - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'"
+      - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'"
+      - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'"
+      - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'"
+      - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'"
+      - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'"
+    condition: or

file/malware/hash/red-leaves-malware-hash.yaml

@@ -0,0 +1,21 @@
+id: red-leaves-malware-hash
+info:
+  name: Red Leaves Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Red Leaves malware, related to APT10
+  reference:
+    - https://www.virustotal.com/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_RedLeaves.yar
+  tags: malware,apt,red-leaves
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'"
+

file/malware/hash/regeorg-webshell-hash.yaml

@@ -1,6 +1,6 @@
-id: regeorg-webshel
+id: regeorg-webshell-hash
 info:
-  name: ReGeorg Webshell - Detect
+  name: ReGeorg Webshell Hash - Detect
   author: pussycat0x
   severity: info
   description: Detects the reGeorg webshells' JSP version.

file/malware/hash/revil-ransomware-hash.yaml

@@ -0,0 +1,22 @@
+id: revil-ransomware-hash
+info:
+  name: Revil Ransomware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description:
+    Detect Revil Ransomware. 
+  reference:
+    - https://angle.ankura.com/post/102hcny/revix-linux-ransomware
+    - https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Revix.yar
+tags: ransomware,malware
+
+file:
+  extensions:
+    - all
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'"
+      - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'"
+      - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'"
+    condition: or

file/malware/hash/rokrat-malware-hash.yaml

@@ -0,0 +1,20 @@
+id: rokrat-malware-hash
+info:
+  name: ROKRAT Loader Malware Hash- Detect
+  author: pussycat0x
+  severity: info  
+  description: |
+    Designed to catch loader observed used with ROKRAT malware
+  reference:
+    - https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_DPRK_ROKRAT.yar
+  tags: malware,taudprkapt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'"

file/malware/hash/rokrat-malware.yaml

@@ -1,22 +0,0 @@
-id: rokrat-malware
-info:
-  name: Rokrat Malware - Detect
-  author: pussycat0x
-  severity: info
-  description: Ruby loader seen loading the ROKRAT malware family.
-  reference:
-    - https://github.com/volexity/threat-intel/blob/main/2021/2021-08-24%20-%20InkySquid%20Part%202/indicators/yara.yar
-  tags: malware,inkysquid
-
-file:
-  - extensions:
-      - all
-
-    matchers:
-      - type: dsl
-        dsl:
-          - "sha256(raw) == '5bc52f6c1c0d0131cee30b4f192ce738ad70bcb56e84180f464a5125d1a784b2'"
-          - "sha256(raw) == '80269413be6ad51b8b19631b2f5559c9572842e789bbce031babe6e879d2e120'"
-          - "sha256(raw) == '6a452d088d60113f623b852f33f8f9acf0d4197af29781f889613fed38f57855'"
-          - "sha256(raw) == '85cd5c3bb028fe6931130ccd5d0b0c535c01ce2bcda660a3b72581a1a5382904'"
-        condition: or

file/malware/hash/sauron-malware-hash.yaml

@@ -0,0 +1,26 @@
+id: sauron-malware-hash
+info:
+  name: Sauron Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: Detects malware from Project Sauron APT
+  reference:
+    - https://goo.gl/eFoP4A
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sauron_extras.yar
+  tags: malware,apt,sauron
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'"
+      - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'"
+      - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'"
+      - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'"
+      - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'"
+      - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'"
+      - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'"
+    condition: or

file/malware/hash/seaduke-malware-hash.yaml

@@ -0,0 +1,19 @@
+id: seaduke-malware-hash
+info:
+  name: SeaDuke Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference: |
+    http://goo.gl/MJ0c2M
+    https://github.com/Yara-Rules/rules/blob/master/malware/APT_Seaduke.yar
+  tags: malware,seaduke
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'"
+

file/malware/hash/sfx1-malware-hash.yaml

@@ -0,0 +1,21 @@
+id: sfx1-malware-hash
+info:
+  name: Malicious SFX1 Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: SFX with voicemail content
+  reference:
+    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar
+  tags: malware,sfx1
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'"
+      - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'"
+    condition: or

file/malware/hash/sfxrar-acrotray-malware-hash.yaml

@@ -0,0 +1,21 @@
+id: sfxrar-acrotray-malware-hash
+info:
+  name: SFXRAR Acrotray Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference:
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar
+    - https://www.f-secure.com/weblog/archives/00002822.html
+  tags: malware,apt,sfx
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'"
+      - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'"
+      - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'"
+    condition: or

file/malware/hash/sharpext-malware-hash.yaml

@@ -1,6 +1,6 @@
-id: sharpext-malware
+id: sharpext-malware-hash
 info:
-  name: Sharpext Malware - Detect
+  name: Sharpext Malware Hash - Detect
   author: pussycat0x
   severity: info
   description: A malicious Chrome browser extension used by the SharpTongue threat actor to steal mail data from a victim.

file/malware/hash/sofacy-Winexe-malware-hash.yaml

@@ -0,0 +1,20 @@
+id: sofacy-Winexe-malware-hash
+info:
+  name: Sofacy Group Winexe Tool Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Winexe tool used by Sofacy group in Bundestag APT.
+  reference: |
+    - http://dokumente.linksfraktion.de/inhalt/report-orig.pdf
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Bundestag.yar
+  tags: malware,sofacy
+
+file:
+  extensions:
+    - exe
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'"

file/malware/hash/sofacy-bundestag-malware-hash.yaml

@@ -0,0 +1,22 @@
+id: sofacy-bundestag-malware-hash
+info:
+  name: Sofacy Group Malware - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Sofacy Malware - German Bundestag
+  reference: |
+    - http://dokumente.linksfraktion.de/inhalt/report-orig.pdf
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Bundestag.yar
+  tags: malware,sofacy
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'"
+      - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'"
+    condition: or  

file/malware/hash/sofacy-fybis-malware-hash.yaml

@@ -0,0 +1,21 @@
+id: sofacy-fybis-malware-hash
+info:
+  name: Sofacy Fybis Linux Backdoor Hash - Detect
+  author: pussycat0x
+  severity: info
+  reference: |
+    - http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Fysbis.yar
+  tags: malware,sofacy
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'"
+      - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'"
+      - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'"
+    condition: or

file/malware/hash/tidepool-malware-hash.yaml

@@ -0,0 +1,24 @@
+id: tidepool-malware-hash
+info:
+  name: TidePool Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks
+  reference:
+    - http://goo.gl/m2CXWR
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Ke3Chang_TidePool.yar
+  tags: malware,tidepool
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'"
+      - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'"
+      - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'"
+      - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'"
+    condition: or

file/malware/hash/turla-malware-hash.yaml

@@ -0,0 +1,29 @@
+id: turla-malware-hash
+info:
+  name: Turla APT Malware - Detect
+  author: pussycat0x
+  severity: info  
+  description: Detects Turla malware based on sample used in the RUAG APT case
+  reference: |
+    https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
+    https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar
+  tags: malware,turla,apt,ruag
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'"
+      - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'"
+      - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'"
+      - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'"
+      - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'"
+      - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'"
+      - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'"
+      - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'"
+      - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'"
+      - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'"
+    condition: or

file/malware/hash/unit78020-malware-hash.yaml

@@ -0,0 +1,26 @@
+id: unit78020-malware-hash
+info:
+  name: Unit 78020 Malware Hash - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Detects malware by Chinese APT PLA Unit 78020 - Generic Rule
+  reference: |
+    http://threatconnect.com/camerashy/?utm_campaign=CameraShy
+    https://github.com/Yara-Rules/rules/blob/master/malware/APT_Unit78020.yar
+  tags: malware,unit78020
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'"
+      - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'"
+      - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'"
+      - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'"
+      - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'"
+      - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'"
+    condition: or

file/malware/hash/wildneutron-malware-hash.yaml

@@ -0,0 +1,31 @@
+id: wildneutron-malware-hash
+info:
+  name: WildNeutron APT Sample Hash - Detect
+  author: pussycat0x
+  severity: info  
+  description: |
+    Wild Neutron APT Sample Rule based on file hash
+  reference: |
+    - https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_WildNeutron.yar
+  tags: malware,wildneutron,apt
+
+file:
+  extensions:
+    - all
+
+  matchers:
+    type: dsl
+    dsl:
+      - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'"
+      - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'"
+      - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'"
+      - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'"
+      - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'"
+      - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'"
+      - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'"
+      - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'"
+      - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'"
+      - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'"
+      - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'"
+    condition: or