update

2024-06-20 18:08:35 +05:30 · 2024-06-20 18:08:35 +05:30 · 99d2fc0f65
parent 0c5631b963
commit 99d2fc0f65
48 changed files with 516 additions and 504 deletions
--- a/file/malware/hash/anthem-deeppanda-malware-hash.yaml
+++ b/file/malware/hash/anthem-deeppanda-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware,deeppanda

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'"
        - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'"
--- a/file/malware/hash/blackenergy-driver-amdide-hash.yaml
+++ b/file/malware/hash/blackenergy-driver-amdide-hash.yaml
@ -8,11 +8,11 @@ info:
  tag: malware,blackenergy

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'"
        - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'"
--- a/file/malware/hash/blackenergy-driver-malware-hash.yaml
+++ b/file/malware/hash/blackenergy-driver-malware-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,blackenergy

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'"
        - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'"
--- a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml
+++ b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,bluetermite

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'"
        - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'"
--- a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml
+++ b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,bluetermite

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'"
        - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'"
--- a/file/malware/hash/cheshirecat-malware-hash.yaml
+++ b/file/malware/hash/cheshirecat-malware-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,apt

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'"
        - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'"
--- a/file/malware/hash/cloudduke-malware-hash.yaml
+++ b/file/malware/hash/cloudduke-malware-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,apt

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
        - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
--- a/file/malware/hash/codoso-gh0st-malware.yaml
+++ b/file/malware/hash/codoso-gh0st-malware.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,apt,codoso

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'"
        - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'"
--- a/file/malware/hash/codoso-malware-hash.yaml
+++ b/file/malware/hash/codoso-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,apt,codoso

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'"
        - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'"
--- a/file/malware/hash/codoso-pgv-malware-hash.yaml
+++ b/file/malware/hash/codoso-pgv-malware-hash.yaml
@ -4,17 +4,26 @@ info:
  author: pussycat0x
  severity: info
  description: |
-    Detects Codoso APT PGV_PVID Malware
+    Detects Codoso APT PGV_PVID Malware.
  reference:
    - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
  tags: malware,apt,codoso

 file:
-  extensions:
+  - extensions:
    - all

  matchers:
+<<<<<<< HEAD
+    - type: dsl
+      dsl:
+        - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
+        - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'"
+        - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'"
+        - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
+      condition: or
+=======
    type: dsl
    dsl:
      - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
@ -22,3 +31,4 @@ file:
      - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'"
      - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
    condition: or
+>>>>>>> 687b9c6e63b39e715ed31005f70c97b54fd44c8e
--- a/file/malware/hash/codoso-plugx-malware-hash.yaml
+++ b/file/malware/hash/codoso-plugx-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,apt,codoso

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'"
        - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'"
--- a/file/malware/hash/dubnium-malware-hash.yaml
+++ b/file/malware/hash/dubnium-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware,dubnium

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
        - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'"
--- a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml
+++ b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware,Dubnium,apt

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'"
        - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'"
--- a/file/malware/hash/emissary-malware-hash.yaml
+++ b/file/malware/hash/emissary-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware,emissary,apt

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'"
        - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'"
--- a/file/malware/hash/fakem-malware-hash.yaml
+++ b/file/malware/hash/fakem-malware-hash.yaml
@ -11,10 +11,11 @@ info:
  tags: malware,apt,fakem

 file:
-  extensions:
+  - extensions:
      - all
+
  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'"
        - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'"
--- a/file/malware/hash/furtim-malware-hash.yaml
+++ b/file/malware/hash/furtim-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,apt,furtim

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'"
        - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'"
--- a/file/malware/hash/greenbug-malware-hash.yaml
+++ b/file/malware/hash/greenbug-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,Greenbug

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'"
        - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'"
--- a/file/malware/hash/industroyer-malware-hash.yaml
+++ b/file/malware/hash/industroyer-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware,industroyer,apt

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'"
        - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'"
--- a/file/malware/hash/ironPanda-htran-malware-hash.yaml
+++ b/file/malware/hash/ironPanda-htran-malware-hash.yaml
@ -11,10 +11,10 @@ info:
  tags: malware,ironpanda

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'"
--- a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml
+++ b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml
@ -11,10 +11,10 @@ info:
  tags: malware,ironpanda

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'"
--- a/file/malware/hash/ironpanda-malware-hash.yaml
+++ b/file/malware/hash/ironpanda-malware-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,IronPanda

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'"
        - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'"
--- a/file/malware/hash/locky-ransomware-hash.yaml
+++ b/file/malware/hash/locky-ransomware-hash.yaml
@ -11,10 +11,10 @@ info:
  tags: ransomware,malware

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'"
--- a/file/malware/hash/minidionis-readerview-malware-hash.yaml
+++ b/file/malware/hash/minidionis-readerview-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,minidionis

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
        - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
--- a/file/malware/hash/minidionis-vbs-malware-hash.yaml
+++ b/file/malware/hash/minidionis-vbs-malware-hash.yaml
@ -10,10 +10,10 @@ info:
  tags: malware,minidionis

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'"
--- a/file/malware/hash/naikon-apt-malware-hash.yaml
+++ b/file/malware/hash/naikon-apt-malware-hash.yaml
@ -8,11 +8,11 @@ info:
 tags: malware,naikon

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'"
        - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'"
--- a/file/malware/hash/neuron2-malware-hash.yaml
+++ b/file/malware/hash/neuron2-malware-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,turla,neuron2,apt

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'"
        - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'"
--- a/file/malware/hash/oilrig-malware-hash.yaml
+++ b/file/malware/hash/oilrig-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,oilrig,apt

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'"
        - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'"
--- a/file/malware/hash/passcv-ntscan-malware-hash.yaml
+++ b/file/malware/hash/passcv-ntscan-malware-hash.yaml
@ -10,10 +10,10 @@ info:
  tags: malware,passcv

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'"
--- a/file/malware/hash/passcv-sabre-malware-hash.yaml
+++ b/file/malware/hash/passcv-sabre-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,passcv

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'"
        - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'"
--- a/file/malware/hash/passcv-signingcert-malware-hash.yaml
+++ b/file/malware/hash/passcv-signingcert-malware-hash.yaml
@ -11,10 +11,10 @@ info:
  tags: malware,passcv

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'"
--- a/file/malware/hash/petya-ransomware-hash.yaml
+++ b/file/malware/hash/petya-ransomware-hash.yaml
@ -10,10 +10,10 @@ info:
 tags: ransomware,malware

 file:
-  extensions:
+  - extensions:
    - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'"
--- a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml
+++ b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml
@ -10,12 +10,12 @@ info:
  tags: malware,poseidon

 file:
-  extensions:
+  - extensions:
      - doc
      - docx

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'"
        - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'"
--- a/file/malware/hash/poseidongroup-malware-hash.yaml
+++ b/file/malware/hash/poseidongroup-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'"
        - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'"
--- a/file/malware/hash/purplewave-malware-hash.yaml
+++ b/file/malware/hash/purplewave-malware-hash.yaml
@ -9,11 +9,11 @@ info:
 tags: malware,apt,purplewave

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'"
        - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'"
--- a/file/malware/hash/red-leaves-malware-hash.yaml
+++ b/file/malware/hash/red-leaves-malware-hash.yaml
@ -11,10 +11,10 @@ info:
  tags: malware,apt,red-leaves

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'"
--- a/file/malware/hash/revil-ransomware-hash.yaml
+++ b/file/malware/hash/revil-ransomware-hash.yaml
@ -11,10 +11,11 @@ info:
 tags: ransomware,malware

 file:
-  extensions:
+  - extensions:
      - all
+
  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'"
        - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'"
--- a/file/malware/hash/rokrat-malware-hash.yaml
+++ b/file/malware/hash/rokrat-malware-hash.yaml
@ -11,10 +11,10 @@ info:
  tags: malware,taudprkapt

 file:
-  extensions:
+  - extensions:
    - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'"
--- a/file/malware/hash/sauron-malware-hash.yaml
+++ b/file/malware/hash/sauron-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware,apt,sauron

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'"
        - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'"
--- a/file/malware/hash/seaduke-malware-hash.yaml
+++ b/file/malware/hash/seaduke-malware-hash.yaml
@ -9,10 +9,10 @@ info:
  tags: malware,seaduke

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'"
--- a/file/malware/hash/sfx1-malware-hash.yaml
+++ b/file/malware/hash/sfx1-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware,sfx1

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'"
        - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'"
--- a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml
+++ b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,apt,sfx

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'"
        - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'"
--- a/file/malware/hash/sofacy-Winexe-malware-hash.yaml
+++ b/file/malware/hash/sofacy-Winexe-malware-hash.yaml
@ -11,10 +11,10 @@ info:
  tags: malware,sofacy

 file:
-  extensions:
+  - extensions:
      - exe

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'"
--- a/file/malware/hash/sofacy-bundestag-malware-hash.yaml
+++ b/file/malware/hash/sofacy-bundestag-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,sofacy

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'"
        - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'"
--- a/file/malware/hash/sofacy-fybis-malware-hash.yaml
+++ b/file/malware/hash/sofacy-fybis-malware-hash.yaml
@ -9,11 +9,11 @@ info:
  tags: malware,sofacy

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'"
        - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'"
--- a/file/malware/hash/tidepool-malware-hash.yaml
+++ b/file/malware/hash/tidepool-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,tidepool

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'"
        - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'"
--- a/file/malware/hash/turla-malware-hash.yaml
+++ b/file/malware/hash/turla-malware-hash.yaml
@ -10,11 +10,11 @@ info:
  tags: malware,turla,apt,ruag

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'"
        - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'"
--- a/file/malware/hash/unit78020-malware-hash.yaml
+++ b/file/malware/hash/unit78020-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,unit78020

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'"
        - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'"
--- a/file/malware/hash/wildneutron-malware-hash.yaml
+++ b/file/malware/hash/wildneutron-malware-hash.yaml
@ -11,11 +11,11 @@ info:
  tags: malware,wildneutron,apt

 file:
-  extensions:
+  - extensions:
      - all

  matchers:
-    type: dsl
+    - type: dsl
      dsl:
        - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'"
        - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'"