From 99d2fc0f6574258d70152aea4958e4f4a64a62f0 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 20 Jun 2024 18:08:35 +0530 Subject: [PATCH] update --- .../hash/anthem-deeppanda-malware-hash.yaml | 14 ++--- .../hash/blackenergy-driver-amdide-hash.yaml | 24 ++++---- .../hash/blackenergy-driver-malware-hash.yaml | 26 ++++---- .../hash/bluetermite-emdivi-malware-hash.yaml | 40 ++++++------- .../hash/bluetermite-emdivi-sfx-hash.yaml | 14 ++--- .../hash/cheshirecat-malware-hash.yaml | 18 +++--- file/malware/hash/cloudduke-malware-hash.yaml | 40 ++++++------- file/malware/hash/codoso-gh0st-malware.yaml | 18 +++--- file/malware/hash/codoso-malware-hash.yaml | 22 +++---- .../malware/hash/codoso-pgv-malware-hash.yaml | 18 ++++-- .../hash/codoso-plugx-malware-hash.yaml | 18 +++--- file/malware/hash/dubnium-malware-hash.yaml | 58 +++++++++--------- .../hash/dubnium-sshopenssl-malware-hash.yaml | 22 +++---- file/malware/hash/emissary-malware-hash.yaml | 36 +++++------ file/malware/hash/fakem-malware-hash.yaml | 33 +++++----- file/malware/hash/furtim-malware-hash.yaml | 14 ++--- file/malware/hash/greenbug-malware-hash.yaml | 34 +++++------ .../hash/industroyer-malware-hash.yaml | 28 ++++----- .../hash/ironPanda-htran-malware-hash.yaml | 10 ++-- .../ironpanda-dnstunclient-malware-hash.yaml | 10 ++-- file/malware/hash/ironpanda-malware-hash.yaml | 18 +++--- file/malware/hash/locky-ransomware-hash.yaml | 10 ++-- .../minidionis-readerview-malware-hash.yaml | 22 +++---- .../hash/minidionis-vbs-malware-hash.yaml | 10 ++-- .../malware/hash/naikon-apt-malware-hash.yaml | 14 ++--- file/malware/hash/neuron2-malware-hash.yaml | 14 ++--- file/malware/hash/oilrig-malware-hash.yaml | 60 +++++++++---------- .../hash/passcv-ntscan-malware-hash.yaml | 10 ++-- .../hash/passcv-sabre-malware-hash.yaml | 28 ++++----- .../hash/passcv-signingcert-malware-hash.yaml | 10 ++-- file/malware/hash/petya-ransomware-hash.yaml | 8 +-- .../poseidongroup-maldoc-malware-hash.yaml | 26 ++++---- .../hash/poseidongroup-malware-hash.yaml | 24 ++++---- .../malware/hash/purplewave-malware-hash.yaml | 28 ++++----- .../malware/hash/red-leaves-malware-hash.yaml | 10 ++-- file/malware/hash/revil-ransomware-hash.yaml | 17 +++--- file/malware/hash/rokrat-malware-hash.yaml | 8 +-- file/malware/hash/sauron-malware-hash.yaml | 24 ++++---- file/malware/hash/seaduke-malware-hash.yaml | 10 ++-- file/malware/hash/sfx1-malware-hash.yaml | 14 ++--- .../hash/sfxrar-acrotray-malware-hash.yaml | 16 ++--- .../hash/sofacy-Winexe-malware-hash.yaml | 10 ++-- .../hash/sofacy-bundestag-malware-hash.yaml | 14 ++--- .../hash/sofacy-fybis-malware-hash.yaml | 16 ++--- file/malware/hash/tidepool-malware-hash.yaml | 18 +++--- file/malware/hash/turla-malware-hash.yaml | 30 +++++----- file/malware/hash/unit78020-malware-hash.yaml | 22 +++---- .../hash/wildneutron-malware-hash.yaml | 32 +++++----- 48 files changed, 516 insertions(+), 504 deletions(-) diff --git a/file/malware/hash/anthem-deeppanda-malware-hash.yaml b/file/malware/hash/anthem-deeppanda-malware-hash.yaml index bda4cb8072..d3ade4ee2c 100644 --- a/file/malware/hash/anthem-deeppanda-malware-hash.yaml +++ b/file/malware/hash/anthem-deeppanda-malware-hash.yaml @@ -10,12 +10,12 @@ info: tags: malware,deeppanda file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'" - - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'" + - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'" + condition: or diff --git a/file/malware/hash/blackenergy-driver-amdide-hash.yaml b/file/malware/hash/blackenergy-driver-amdide-hash.yaml index 1416dfb755..0bdfde5343 100644 --- a/file/malware/hash/blackenergy-driver-amdide-hash.yaml +++ b/file/malware/hash/blackenergy-driver-amdide-hash.yaml @@ -8,17 +8,17 @@ info: tag: malware,blackenergy file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" - - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" - - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" - - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" - - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" - - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" - - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" + - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" + - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" + - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" + - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" + - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" + - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" + condition: or diff --git a/file/malware/hash/blackenergy-driver-malware-hash.yaml b/file/malware/hash/blackenergy-driver-malware-hash.yaml index 7f3f98507e..ba0cc65e80 100644 --- a/file/malware/hash/blackenergy-driver-malware-hash.yaml +++ b/file/malware/hash/blackenergy-driver-malware-hash.yaml @@ -9,18 +9,18 @@ info: tags: malware,blackenergy file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'" - - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'" - - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'" - - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'" - - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'" - - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'" - - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'" - - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'" + - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'" + - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'" + - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'" + - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'" + - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'" + - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'" + - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'" + condition: or diff --git a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml index 040782d212..964d0dc509 100644 --- a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml +++ b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml @@ -9,25 +9,25 @@ info: tags: malware,bluetermite file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" - - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" - - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" - - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" - - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'" - - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'" - - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'" - - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" - - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" - - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" - - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" - - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" - - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" - - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" - - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'" + - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'" + - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml index 05e5bb88e2..22a895caa0 100644 --- a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml +++ b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml @@ -9,12 +9,12 @@ info: tags: malware,bluetermite file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'" - - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'" + - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'" + condition: or diff --git a/file/malware/hash/cheshirecat-malware-hash.yaml b/file/malware/hash/cheshirecat-malware-hash.yaml index 351a05e2fb..f1e02e0ecc 100644 --- a/file/malware/hash/cheshirecat-malware-hash.yaml +++ b/file/malware/hash/cheshirecat-malware-hash.yaml @@ -9,14 +9,14 @@ info: tags: malware,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'" - - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'" - - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'" - - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'" + - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'" + - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'" + - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'" + condition: or diff --git a/file/malware/hash/cloudduke-malware-hash.yaml b/file/malware/hash/cloudduke-malware-hash.yaml index 5d753b6036..3b155c5fbf 100644 --- a/file/malware/hash/cloudduke-malware-hash.yaml +++ b/file/malware/hash/cloudduke-malware-hash.yaml @@ -9,25 +9,25 @@ info: tags: malware,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-gh0st-malware.yaml b/file/malware/hash/codoso-gh0st-malware.yaml index 51dbbc7495..39268274b4 100644 --- a/file/malware/hash/codoso-gh0st-malware.yaml +++ b/file/malware/hash/codoso-gh0st-malware.yaml @@ -9,14 +9,14 @@ info: tags: malware,apt,codoso file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'" - - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'" - - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'" - - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'" + - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'" + - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'" + - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'" + condition: or diff --git a/file/malware/hash/codoso-malware-hash.yaml b/file/malware/hash/codoso-malware-hash.yaml index 4486e11cce..53e46b086d 100644 --- a/file/malware/hash/codoso-malware-hash.yaml +++ b/file/malware/hash/codoso-malware-hash.yaml @@ -11,16 +11,16 @@ info: tags: malware,apt,codoso file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" - - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" - - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" - - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" - - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" - - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" + - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" + - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" + - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" + - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" + - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" + condition: or diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml index dad250bf30..c6612ab3fd 100644 --- a/file/malware/hash/codoso-pgv-malware-hash.yaml +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -4,21 +4,31 @@ info: author: pussycat0x severity: info description: | - Detects Codoso APT PGV_PVID Malware - reference: + Detects Codoso APT PGV_PVID Malware. + reference: - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar tags: malware,apt,codoso file: - extensions: + - extensions: - all matchers: +<<<<<<< HEAD + - type: dsl + dsl: + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" + - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + condition: or +======= type: dsl dsl: - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - condition: or \ No newline at end of file + condition: or +>>>>>>> 687b9c6e63b39e715ed31005f70c97b54fd44c8e diff --git a/file/malware/hash/codoso-plugx-malware-hash.yaml b/file/malware/hash/codoso-plugx-malware-hash.yaml index f0884b566b..272333b851 100644 --- a/file/malware/hash/codoso-plugx-malware-hash.yaml +++ b/file/malware/hash/codoso-plugx-malware-hash.yaml @@ -11,14 +11,14 @@ info: tags: malware,apt,codoso file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'" - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + condition: or diff --git a/file/malware/hash/dubnium-malware-hash.yaml b/file/malware/hash/dubnium-malware-hash.yaml index fdfa9dcd68..5d8aa8e443 100644 --- a/file/malware/hash/dubnium-malware-hash.yaml +++ b/file/malware/hash/dubnium-malware-hash.yaml @@ -10,34 +10,34 @@ info: tags: malware,dubnium file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'" - - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'" - - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'" - - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" - - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'" + - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'" + - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml index 05606c7e0f..46a7dcfde6 100644 --- a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml +++ b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml @@ -10,16 +10,16 @@ info: tags: malware,Dubnium,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/emissary-malware-hash.yaml b/file/malware/hash/emissary-malware-hash.yaml index dd2cdda30a..49a012292b 100644 --- a/file/malware/hash/emissary-malware-hash.yaml +++ b/file/malware/hash/emissary-malware-hash.yaml @@ -10,23 +10,23 @@ info: tags: malware,emissary,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'" - - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'" - - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'" - - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'" - - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'" - - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'" - - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'" - - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'" - - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'" - - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'" - - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'" - - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'" - - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'" + - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'" + - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'" + - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'" + - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'" + - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'" + - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'" + - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'" + - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'" + - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'" + - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'" + - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'" + - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'" + condition: or diff --git a/file/malware/hash/fakem-malware-hash.yaml b/file/malware/hash/fakem-malware-hash.yaml index 7c544868af..85f755b7af 100644 --- a/file/malware/hash/fakem-malware-hash.yaml +++ b/file/malware/hash/fakem-malware-hash.yaml @@ -11,20 +11,21 @@ info: tags: malware,apt,fakem file: - extensions: - - all + - extensions: + - all + matchers: - type: dsl - dsl: - - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'" - - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'" - - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'" - - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'" - - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'" - - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'" - - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'" - - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'" - - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'" - - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'" - - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'" + - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'" + - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'" + - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'" + - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'" + - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'" + - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'" + - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'" + - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'" + - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'" + - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'" + condition: or diff --git a/file/malware/hash/furtim-malware-hash.yaml b/file/malware/hash/furtim-malware-hash.yaml index 0b4455f568..599006f431 100644 --- a/file/malware/hash/furtim-malware-hash.yaml +++ b/file/malware/hash/furtim-malware-hash.yaml @@ -11,12 +11,12 @@ info: tags: malware,apt,furtim file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'" - - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'" + - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'" + condition: or diff --git a/file/malware/hash/greenbug-malware-hash.yaml b/file/malware/hash/greenbug-malware-hash.yaml index 10ba934f94..292f206408 100644 --- a/file/malware/hash/greenbug-malware-hash.yaml +++ b/file/malware/hash/greenbug-malware-hash.yaml @@ -11,22 +11,22 @@ info: tags: malware,Greenbug file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'" - - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'" - - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'" - - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'" - - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" - - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" - - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" - - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" - - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" - - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" - - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" - - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'" + - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'" + - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'" + - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/industroyer-malware-hash.yaml b/file/malware/hash/industroyer-malware-hash.yaml index 9a4ccf54db..c66c5d3756 100644 --- a/file/malware/hash/industroyer-malware-hash.yaml +++ b/file/malware/hash/industroyer-malware-hash.yaml @@ -10,19 +10,19 @@ info: tags: malware,industroyer,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'" - - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'" - - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'" - - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'" - - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'" - - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'" - - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'" - - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'" - - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'" + - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'" + - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'" + - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'" + - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'" + - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'" + - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'" + - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'" + - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'" + condition: or diff --git a/file/malware/hash/ironPanda-htran-malware-hash.yaml b/file/malware/hash/ironPanda-htran-malware-hash.yaml index 3a237e8ca3..be3cbf2f79 100644 --- a/file/malware/hash/ironPanda-htran-malware-hash.yaml +++ b/file/malware/hash/ironPanda-htran-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,ironpanda file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml index 696a548481..cf23adaea5 100644 --- a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml +++ b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,ironpanda file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-malware-hash.yaml b/file/malware/hash/ironpanda-malware-hash.yaml index 241e17b3cd..2cd5242c76 100644 --- a/file/malware/hash/ironpanda-malware-hash.yaml +++ b/file/malware/hash/ironpanda-malware-hash.yaml @@ -9,14 +9,14 @@ info: tags: malware,IronPanda file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'" - - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'" - - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'" - - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'" + - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'" + - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'" + - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'" + condition: or diff --git a/file/malware/hash/locky-ransomware-hash.yaml b/file/malware/hash/locky-ransomware-hash.yaml index 0e90f1e79e..bd15b7ff67 100644 --- a/file/malware/hash/locky-ransomware-hash.yaml +++ b/file/malware/hash/locky-ransomware-hash.yaml @@ -11,10 +11,10 @@ info: tags: ransomware,malware file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file diff --git a/file/malware/hash/minidionis-readerview-malware-hash.yaml b/file/malware/hash/minidionis-readerview-malware-hash.yaml index 1a03e309bc..49d3c5925f 100644 --- a/file/malware/hash/minidionis-readerview-malware-hash.yaml +++ b/file/malware/hash/minidionis-readerview-malware-hash.yaml @@ -11,16 +11,16 @@ info: tags: malware,minidionis file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or diff --git a/file/malware/hash/minidionis-vbs-malware-hash.yaml b/file/malware/hash/minidionis-vbs-malware-hash.yaml index 833c4a0c82..1c4a0c6d05 100644 --- a/file/malware/hash/minidionis-vbs-malware-hash.yaml +++ b/file/malware/hash/minidionis-vbs-malware-hash.yaml @@ -10,10 +10,10 @@ info: tags: malware,minidionis file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'" + - type: dsl + dsl: + - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'" diff --git a/file/malware/hash/naikon-apt-malware-hash.yaml b/file/malware/hash/naikon-apt-malware-hash.yaml index 7e7011d5b1..ddb8f9177a 100644 --- a/file/malware/hash/naikon-apt-malware-hash.yaml +++ b/file/malware/hash/naikon-apt-malware-hash.yaml @@ -8,12 +8,12 @@ info: tags: malware,naikon file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'" - - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'" + - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'" + condition: or diff --git a/file/malware/hash/neuron2-malware-hash.yaml b/file/malware/hash/neuron2-malware-hash.yaml index d90848501f..bed555af53 100644 --- a/file/malware/hash/neuron2-malware-hash.yaml +++ b/file/malware/hash/neuron2-malware-hash.yaml @@ -9,12 +9,12 @@ info: tags: malware,turla,neuron2,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'" - - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'" + - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'" + condition: or diff --git a/file/malware/hash/oilrig-malware-hash.yaml b/file/malware/hash/oilrig-malware-hash.yaml index 62bf87eb9c..cbd6353198 100644 --- a/file/malware/hash/oilrig-malware-hash.yaml +++ b/file/malware/hash/oilrig-malware-hash.yaml @@ -11,35 +11,35 @@ info: tags: malware,oilrig,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'" - - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'" - - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'" - - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'" - - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'" - - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'" - - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'" - - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'" - - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'" - - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'" - - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'" - - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'" - - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'" - - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'" - - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'" - - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'" - - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'" - - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'" - - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'" - - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'" - - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'" - - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'" - - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'" - - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'" - - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'" + - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'" + - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'" + - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'" + - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'" + - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'" + - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'" + - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'" + - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'" + - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'" + - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'" + - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'" + - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'" + - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'" + - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'" + - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'" + - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'" + - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'" + - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'" + - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'" + - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'" + - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'" + - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'" + - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'" + - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'" + condition: or diff --git a/file/malware/hash/passcv-ntscan-malware-hash.yaml b/file/malware/hash/passcv-ntscan-malware-hash.yaml index 3a03868558..9fbb090bde 100644 --- a/file/malware/hash/passcv-ntscan-malware-hash.yaml +++ b/file/malware/hash/passcv-ntscan-malware-hash.yaml @@ -10,10 +10,10 @@ info: tags: malware,passcv file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'" + - type: dsl + dsl: + - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'" diff --git a/file/malware/hash/passcv-sabre-malware-hash.yaml b/file/malware/hash/passcv-sabre-malware-hash.yaml index f3baf97e41..9a3a004ed8 100644 --- a/file/malware/hash/passcv-sabre-malware-hash.yaml +++ b/file/malware/hash/passcv-sabre-malware-hash.yaml @@ -11,19 +11,19 @@ info: tags: malware,passcv file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'" - - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'" - - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'" - - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'" - - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'" - - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'" - - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'" - - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'" - - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'" + - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'" + - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'" + - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'" + - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'" + - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'" + - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'" + - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'" + - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'" + condition: or diff --git a/file/malware/hash/passcv-signingcert-malware-hash.yaml b/file/malware/hash/passcv-signingcert-malware-hash.yaml index d2f38966aa..29dd4de59e 100644 --- a/file/malware/hash/passcv-signingcert-malware-hash.yaml +++ b/file/malware/hash/passcv-signingcert-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,passcv file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file diff --git a/file/malware/hash/petya-ransomware-hash.yaml b/file/malware/hash/petya-ransomware-hash.yaml index a4ced71871..c365c43943 100644 --- a/file/malware/hash/petya-ransomware-hash.yaml +++ b/file/malware/hash/petya-ransomware-hash.yaml @@ -10,10 +10,10 @@ info: tags: ransomware,malware file: - extensions: + - extensions: - all matchers: - type: dsl - dsl: - - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'" + - type: dsl + dsl: + - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'" diff --git a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml index 8f0f4d8467..218921c76b 100644 --- a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml +++ b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml @@ -10,18 +10,18 @@ info: tags: malware,poseidon file: - extensions: - - doc - - docx + - extensions: + - doc + - docx matchers: - type: dsl - dsl: - - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'" - - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'" - - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'" - - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'" - - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'" - - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'" - - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'" + - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'" + - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'" + - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'" + - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'" + - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'" + - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'" + condition: or diff --git a/file/malware/hash/poseidongroup-malware-hash.yaml b/file/malware/hash/poseidongroup-malware-hash.yaml index 8a13db558d..c35c402241 100644 --- a/file/malware/hash/poseidongroup-malware-hash.yaml +++ b/file/malware/hash/poseidongroup-malware-hash.yaml @@ -10,17 +10,17 @@ info: tags: malware file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'" - - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'" - - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'" - - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'" - - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'" - - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'" - - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'" + - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'" + - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'" + - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'" + - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'" + - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'" + - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'" + condition: or diff --git a/file/malware/hash/purplewave-malware-hash.yaml b/file/malware/hash/purplewave-malware-hash.yaml index 8492e1a9c7..6ee8e00cd5 100644 --- a/file/malware/hash/purplewave-malware-hash.yaml +++ b/file/malware/hash/purplewave-malware-hash.yaml @@ -9,19 +9,19 @@ info: tags: malware,apt,purplewave file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" - - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" - - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" - - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" - - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" - - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" - - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" - - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" - - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" + - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" + - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" + - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" + - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" + - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" + - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" + - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" + - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" + condition: or diff --git a/file/malware/hash/red-leaves-malware-hash.yaml b/file/malware/hash/red-leaves-malware-hash.yaml index 06a4716156..6a5eef6859 100644 --- a/file/malware/hash/red-leaves-malware-hash.yaml +++ b/file/malware/hash/red-leaves-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,apt,red-leaves file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file diff --git a/file/malware/hash/revil-ransomware-hash.yaml b/file/malware/hash/revil-ransomware-hash.yaml index 61adf28cd9..2e441956a5 100644 --- a/file/malware/hash/revil-ransomware-hash.yaml +++ b/file/malware/hash/revil-ransomware-hash.yaml @@ -11,12 +11,13 @@ info: tags: ransomware,malware file: - extensions: - - all + - extensions: + - all + matchers: - type: dsl - dsl: - - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'" - - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'" - - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'" + - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'" + - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'" + condition: or diff --git a/file/malware/hash/rokrat-malware-hash.yaml b/file/malware/hash/rokrat-malware-hash.yaml index e87b5e645e..f28b8b56a2 100644 --- a/file/malware/hash/rokrat-malware-hash.yaml +++ b/file/malware/hash/rokrat-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,taudprkapt file: - extensions: + - extensions: - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'" \ No newline at end of file diff --git a/file/malware/hash/sauron-malware-hash.yaml b/file/malware/hash/sauron-malware-hash.yaml index 971ab64786..5f5b46eeb3 100644 --- a/file/malware/hash/sauron-malware-hash.yaml +++ b/file/malware/hash/sauron-malware-hash.yaml @@ -10,17 +10,17 @@ info: tags: malware,apt,sauron file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'" - - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'" - - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'" - - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'" - - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'" - - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'" - - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'" + - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'" + - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'" + - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'" + - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'" + - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'" + - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'" + condition: or diff --git a/file/malware/hash/seaduke-malware-hash.yaml b/file/malware/hash/seaduke-malware-hash.yaml index 42ed6c7871..4b7f2f119e 100644 --- a/file/malware/hash/seaduke-malware-hash.yaml +++ b/file/malware/hash/seaduke-malware-hash.yaml @@ -9,10 +9,10 @@ info: tags: malware,seaduke file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file diff --git a/file/malware/hash/sfx1-malware-hash.yaml b/file/malware/hash/sfx1-malware-hash.yaml index 7158918abc..c763fff943 100644 --- a/file/malware/hash/sfx1-malware-hash.yaml +++ b/file/malware/hash/sfx1-malware-hash.yaml @@ -10,12 +10,12 @@ info: tags: malware,sfx1 file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'" - - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'" + - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'" + condition: or diff --git a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml index ea95e45d7a..c0d5f62dd4 100644 --- a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml +++ b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml @@ -9,13 +9,13 @@ info: tags: malware,apt,sfx file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'" - - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'" - - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'" + - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'" + - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/sofacy-Winexe-malware-hash.yaml b/file/malware/hash/sofacy-Winexe-malware-hash.yaml index 90dd6d8329..0306f2f9de 100644 --- a/file/malware/hash/sofacy-Winexe-malware-hash.yaml +++ b/file/malware/hash/sofacy-Winexe-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,sofacy file: - extensions: - - exe + - extensions: + - exe matchers: - type: dsl - dsl: - - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'" + - type: dsl + dsl: + - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'" diff --git a/file/malware/hash/sofacy-bundestag-malware-hash.yaml b/file/malware/hash/sofacy-bundestag-malware-hash.yaml index 7d27e960c4..40d4c6ae20 100644 --- a/file/malware/hash/sofacy-bundestag-malware-hash.yaml +++ b/file/malware/hash/sofacy-bundestag-malware-hash.yaml @@ -11,12 +11,12 @@ info: tags: malware,sofacy file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" - - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" + - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" + condition: or diff --git a/file/malware/hash/sofacy-fybis-malware-hash.yaml b/file/malware/hash/sofacy-fybis-malware-hash.yaml index a285d60b0c..bce5e40be5 100644 --- a/file/malware/hash/sofacy-fybis-malware-hash.yaml +++ b/file/malware/hash/sofacy-fybis-malware-hash.yaml @@ -9,13 +9,13 @@ info: tags: malware,sofacy file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'" - - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'" - - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'" + - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'" + - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'" + condition: or diff --git a/file/malware/hash/tidepool-malware-hash.yaml b/file/malware/hash/tidepool-malware-hash.yaml index 7346f6a7a4..8cf1c20e7f 100644 --- a/file/malware/hash/tidepool-malware-hash.yaml +++ b/file/malware/hash/tidepool-malware-hash.yaml @@ -11,14 +11,14 @@ info: tags: malware,tidepool file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'" - - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'" - - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'" - - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'" + - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'" + - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'" + - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'" + condition: or diff --git a/file/malware/hash/turla-malware-hash.yaml b/file/malware/hash/turla-malware-hash.yaml index de64dd35bc..831b2188c4 100644 --- a/file/malware/hash/turla-malware-hash.yaml +++ b/file/malware/hash/turla-malware-hash.yaml @@ -10,20 +10,20 @@ info: tags: malware,turla,apt,ruag file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" - - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" - - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" - - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" - - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" - - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" - - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" - - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" - - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" - - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" + - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" + - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" + - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" + - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" + - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" + - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" + - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" + - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" + - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/unit78020-malware-hash.yaml b/file/malware/hash/unit78020-malware-hash.yaml index 3f1812b208..a380d5a7d9 100644 --- a/file/malware/hash/unit78020-malware-hash.yaml +++ b/file/malware/hash/unit78020-malware-hash.yaml @@ -11,16 +11,16 @@ info: tags: malware,unit78020 file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'" - - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'" - - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'" - - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'" - - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'" - - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'" + - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'" + - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'" + - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'" + - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'" + - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'" + condition: or diff --git a/file/malware/hash/wildneutron-malware-hash.yaml b/file/malware/hash/wildneutron-malware-hash.yaml index 1c1a5cfd67..ef44dc7f11 100644 --- a/file/malware/hash/wildneutron-malware-hash.yaml +++ b/file/malware/hash/wildneutron-malware-hash.yaml @@ -11,21 +11,21 @@ info: tags: malware,wildneutron,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" - - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" - - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" - - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" - - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" - - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" - - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" - - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" - - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" - - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" - - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" + - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" + - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" + - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" + - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" + - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" + - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" + condition: or \ No newline at end of file