diff --git a/file/malware/hash/anthem-deeppanda-malware-hash.yaml b/file/malware/hash/anthem-deeppanda-malware-hash.yaml new file mode 100644 index 0000000000..8c9bf630b8 --- /dev/null +++ b/file/malware/hash/anthem-deeppanda-malware-hash.yaml @@ -0,0 +1,21 @@ +id: anthem-deeppanda-malware-hash +info: + name: Anthem DeepPanda Trojan Kakfum Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_DeepPanda_Anthem.yar + tags: malware,deeppanda + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'" + - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'" + condition: or diff --git a/file/malware/hash/applejeus-malware-hash.yaml b/file/malware/hash/applejeus-malware-hash.yaml new file mode 100644 index 0000000000..264e79f7ca --- /dev/null +++ b/file/malware/hash/applejeus-malware-hash.yaml @@ -0,0 +1,23 @@ +id: applejeus-malware-hash +info: + name: AppleJeus Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects AppleJeus DLL samples + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/yara.yar + tags: malware,lazarus + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629'" + - "sha256(raw) == '9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78'" + - "sha256(raw) == 'a0db8f8f13a27df1eacbc01505f311f6b14cf9b84fbc7e84cb764a13f001dbbb'" + - "sha256(raw) == 'a241b6611afba8bb1de69044115483adb74f66ab4a80f7423e13c652422cb379'" + - "sha256(raw) == '17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/avburner-malware-hash.yaml b/file/malware/hash/avburner-malware-hash.yaml new file mode 100644 index 0000000000..eb752d4cc3 --- /dev/null +++ b/file/malware/hash/avburner-malware-hash.yaml @@ -0,0 +1,18 @@ +id: avburner-malware-hash +info: + name: AVBurner Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects AVBurner based on a combination of API calls used, hard-coded strings, and bytecode patterns + reference: + - https://github.com/volexity/threat-intel/blob/main/2023/2023-03-07%20AVBurner/yara.yar + tags: malware,snakecharmer + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '4b1b1a1293ccd2c0fd51075de9376ebb55ab64972da785153fcb0a4eb523a5eb'" \ No newline at end of file diff --git a/file/malware/hash/backwash-malware-hash.yaml b/file/malware/hash/backwash-malware-hash.yaml new file mode 100644 index 0000000000..9e998264cf --- /dev/null +++ b/file/malware/hash/backwash-malware-hash.yaml @@ -0,0 +1,28 @@ +id: backwash-malware-hash +info: + name: Backwash Malware Hash - Detect + author: pussycat0x + severity: info + description: | + CPP loader for the Backwash malware. + reference: + - https://github.com/volexity/threat-intel/blob/main/2021/2021-12-06%20-%20XEGroup/indicators/yara.yar + - https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/ + tags: malware,xegroup + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '0cf93de64aa4dba6cec99aa5989fc9c5049bc46ca5f3cb327b49d62f3646a852'" + - "sha256(raw) == '21683e02e11c166d0cf616ff9a1a4405598db7f4adfc87b205082ae94f83c742'" + - "sha256(raw) == '6f44a9c13459533a1f3e0b0e698820611a18113c851f763797090b8be64fd9d5'" + - "sha256(raw) == '92f9593cfa0a28951cae36755d54de63631377f1b954a4cb0474fa0b6193c537'" + - "sha256(raw) == '815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f'" + - "sha256(raw) == '72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911'" + - "sha256(raw) == '4d913ecb91bf32fd828d2153342f5462ae6b84c1a5f256107efc88747f7ba16c'" + - "sha256(raw) == '98e39573a3d355d7fdf3439d9418fdbf4e42c2e03051b5313d5c84f3df485627'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/blackenergy-driver-amdide-hash.yaml b/file/malware/hash/blackenergy-driver-amdide-hash.yaml new file mode 100644 index 0000000000..dc80570888 --- /dev/null +++ b/file/malware/hash/blackenergy-driver-amdide-hash.yaml @@ -0,0 +1,26 @@ +id: blackenergy-driver-amdide-hash +info: + name: Blackenergy-Driver Amdide Hash - Detect + author: pussycat0x + severity: info + description: | + Detects the AMDIDE driver from BlackEnergy malware + reference: + - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ + tag: malware,blackenergy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" + - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" + - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" + - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" + - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" + - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" + - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" + condition: or diff --git a/file/malware/hash/blackenergy-driver-malware-hash.yaml b/file/malware/hash/blackenergy-driver-malware-hash.yaml new file mode 100644 index 0000000000..716ed3a42c --- /dev/null +++ b/file/malware/hash/blackenergy-driver-malware-hash.yaml @@ -0,0 +1,26 @@ +id: blackenergy-driver-malware-hash +info: + name: BlackEnergy Driver USBMDM Malware Hash - Detect + author: pussycat0x + severity: info + description: Auto-generated rule - detects BlackEnergy Driver USBMDM malware + reference: + - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry + tags: malware,blackenergy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'" + - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'" + - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'" + - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'" + - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'" + - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'" + - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'" + - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'" + condition: or diff --git a/file/malware/hash/blackenergy-killdisk-malware-hash.yaml b/file/malware/hash/blackenergy-killdisk-malware-hash.yaml new file mode 100644 index 0000000000..65d90a1035 --- /dev/null +++ b/file/malware/hash/blackenergy-killdisk-malware-hash.yaml @@ -0,0 +1,22 @@ +id: blackenergy-killdisk-malware-hash +info: + name: BlackEnergy KillDisk Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects KillDisk malware from BlackEnergy + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar + tags: malware,blackenergy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80'" + - "sha256(raw) == '5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6'" + - "sha256(raw) == 'c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d'" + - "sha256(raw) == 'f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/blackenergy-ssh-malware-hash.yaml b/file/malware/hash/blackenergy-ssh-malware-hash.yaml new file mode 100644 index 0000000000..3e0f76619f --- /dev/null +++ b/file/malware/hash/blackenergy-ssh-malware-hash.yaml @@ -0,0 +1,18 @@ +id: blackenergy-ssh-malware-hash +info: + name: BlackEnergy BackdoorPass DropBear SSH Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects the password of the backdoored DropBear SSH Server - BlackEnergy + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar + tags: malware,blackenergy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd'" \ No newline at end of file diff --git a/file/malware/hash/blackenergy-vbs-malware-hash.yaml b/file/malware/hash/blackenergy-vbs-malware-hash.yaml new file mode 100644 index 0000000000..56f011ddb6 --- /dev/null +++ b/file/malware/hash/blackenergy-vbs-malware-hash.yaml @@ -0,0 +1,20 @@ +id: blackenergy-vbs-malware-hash +info: + name: BlackEnergy VBS Agent Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar + tags: malware,blackenergy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f'" + - "sha256(raw) == '0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd'" + condition: or diff --git a/file/malware/hash/bluelight-malware-hash.yaml b/file/malware/hash/bluelight-malware-hash.yaml new file mode 100644 index 0000000000..2dca1ca113 --- /dev/null +++ b/file/malware/hash/bluelight-malware-hash.yaml @@ -0,0 +1,21 @@ +id: bluelight-malware-hash +info: + name: bluelight Malware Hash - Detect + author: pussycat0x + severity: info + description: North Korean origin malware which uses a custom Google App for C2 communications. + reference: + - https://github.com/volexity/threat-intel/blob/main/2021/2021-08-17%20-%20InkySquid%20Part%201/indicators/yara.yar + tags: malware,inkysquid + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed'" + - "sha256(raw) == '7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d'" + - "sha256(raw) == '94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml new file mode 100644 index 0000000000..3b2faa0675 --- /dev/null +++ b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml @@ -0,0 +1,33 @@ +id: bluetermite-emdivi-malware-hash +info: + name: Bluetermite Emdivi Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Bluetermite_Emdivi.yar + - https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ + tags: malware,bluetermite + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'" + - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'" + - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml new file mode 100644 index 0000000000..3f28f778d6 --- /dev/null +++ b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml @@ -0,0 +1,20 @@ +id: bluetermite-emdivi-sfx-hash +info: + name: Bluetermite Emdivi SFX Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Bluetermite_Emdivi.yar + tags: malware,bluetermite + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'" + - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'" + condition: or diff --git a/file/malware/hash/charmingcypress-malware-hash.yaml b/file/malware/hash/charmingcypress-malware-hash.yaml new file mode 100644 index 0000000000..954f146f87 --- /dev/null +++ b/file/malware/hash/charmingcypress-malware-hash.yaml @@ -0,0 +1,17 @@ +id: charmingcypress-malware-hash +info: + name: CharmingCypress Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://github.com/volexity/threat-intel/blob/main/2024/2024-02-13%20CharmingCypress/rules.yar + tags: malware,cypress + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'fdc5d6caaaa4fb14e62bd42544e8bb8e9b02220e687d5936a6838a7115334c51'" \ No newline at end of file diff --git a/file/malware/hash/cheshirecat-malware-hash.yaml b/file/malware/hash/cheshirecat-malware-hash.yaml new file mode 100644 index 0000000000..8d519923bf --- /dev/null +++ b/file/malware/hash/cheshirecat-malware-hash.yaml @@ -0,0 +1,22 @@ +id: cheshirecat-malware-hash +info: + name: CheshireCat Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar + tags: malware,apt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'" + - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'" + - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'" + - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'" + condition: or diff --git a/file/malware/hash/cloudduke-malware-hash.yaml b/file/malware/hash/cloudduke-malware-hash.yaml new file mode 100644 index 0000000000..63cd486b98 --- /dev/null +++ b/file/malware/hash/cloudduke-malware-hash.yaml @@ -0,0 +1,33 @@ +id: cloudduke-malware-hash +info: + name: CloudDuke Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://www.f-secure.com/weblog/archives/00002822.html + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar + tags: malware,apt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-gh0st-malware.yaml b/file/malware/hash/codoso-gh0st-malware.yaml new file mode 100644 index 0000000000..161737bc43 --- /dev/null +++ b/file/malware/hash/codoso-gh0st-malware.yaml @@ -0,0 +1,22 @@ +id: codoso-gh0st-malware +info: + name: Codoso APT Gh0st Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar + tags: malware,apt,codoso + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'" + - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'" + - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'" + - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'" + condition: or diff --git a/file/malware/hash/codoso-malware-hash.yaml b/file/malware/hash/codoso-malware-hash.yaml new file mode 100644 index 0000000000..c3def1f955 --- /dev/null +++ b/file/malware/hash/codoso-malware-hash.yaml @@ -0,0 +1,26 @@ +id: codoso-malware-hash +info: + name: Codoso APT Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Codoso APT Malware. + reference: + - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar + tags: malware,apt,codoso + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" + - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" + - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" + - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" + - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" + - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" + condition: or diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml new file mode 100644 index 0000000000..f94d77ca43 --- /dev/null +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -0,0 +1,24 @@ +id: codoso-pgv-malware-hash +info: + name: Codoso APT PGV_PVID Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Codoso APT PGV_PVID Malware. + reference: + - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar + tags: malware,apt,codoso + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" + - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-plugx-malware-hash.yaml b/file/malware/hash/codoso-plugx-malware-hash.yaml new file mode 100644 index 0000000000..4eb060ec8b --- /dev/null +++ b/file/malware/hash/codoso-plugx-malware-hash.yaml @@ -0,0 +1,24 @@ +id: codoso-plugx-malware-hash +info: + name: Codoso APT PlugX Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Codoso APT PlugX Malware. + reference: + - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar + tags: malware,apt,codoso + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + condition: or diff --git a/file/malware/hash/disgomoji-malware-hash.yaml b/file/malware/hash/disgomoji-malware-hash.yaml new file mode 100644 index 0000000000..13236031c7 --- /dev/null +++ b/file/malware/hash/disgomoji-malware-hash.yaml @@ -0,0 +1,18 @@ +id: disgomoji-malware-hash +info: + name: DISGOMOJI Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects DISGOMOJI modules based on strings in the ELF. + reference: + - https://github.com/volexity/threat-intel/blob/main/2024/2024-06-13%20DISGOMOJI/indicators/rules.yar + tags: malware,disgomoji + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2abaae4f6794131108adf5b42e09ee5ce24769431a0e154feabe6052cfe70bf3'" \ No newline at end of file diff --git a/file/malware/hash/dubnium-malware-hash.yaml b/file/malware/hash/dubnium-malware-hash.yaml new file mode 100644 index 0000000000..716cea49e8 --- /dev/null +++ b/file/malware/hash/dubnium-malware-hash.yaml @@ -0,0 +1,44 @@ +id: dubnium-malware-hash +info: + name: Dubnium Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects sample mentioned in the Dubnium Report + reference: + - https://goo.gl/AW9Cuu + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Dubnium.yar + tags: malware,dubnium + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'" + - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'" + - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml new file mode 100644 index 0000000000..879d378ea6 --- /dev/null +++ b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml @@ -0,0 +1,26 @@ +id: dubnium-sshopenssl-malware-hash +info: + name: Dubnium Sample SSHOpenSSL Hash - Detect + author: pussycat0x + severity: info + description: | + Detects sample mentioned in the Dubnium Report + reference: + - https://goo.gl/AW9Cuu + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Dubnium.yar + tags: malware,Dubnium,apt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/emissary-malware-hash.yaml b/file/malware/hash/emissary-malware-hash.yaml new file mode 100644 index 0000000000..96d7fbea35 --- /dev/null +++ b/file/malware/hash/emissary-malware-hash.yaml @@ -0,0 +1,33 @@ +id: emissary-malware-hash +info: + name: Emissary APT Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll + reference: + - http://goo.gl/V0epcf + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Emissary.yar + tags: malware,emissary,apt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'" + - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'" + - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'" + - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'" + - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'" + - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'" + - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'" + - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'" + - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'" + - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'" + - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'" + - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'" + - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/evilbamboo-malware-hash.yaml b/file/malware/hash/evilbamboo-malware-hash.yaml new file mode 100644 index 0000000000..705f65971c --- /dev/null +++ b/file/malware/hash/evilbamboo-malware-hash.yaml @@ -0,0 +1,36 @@ +id: evilbamboo-malware-hash +info: + name: EvilBamboo Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detection of the BADSOLAR and BADBAZAAR data collection files, which are shared by both malware families. + reference: + - https://github.com/volexity/threat-intel/blob/main/2023/2023-09-22%20EvilBamboo/indicators/rules.yar + - https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine + tags: malware,evilbamboo + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'" + - "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'" + - "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'" + - "sha256(raw) == 'f7132750db2a8ca8eb9e9e5a32377aa506395d02bacbb918f835041f5f035c4c'" + - "sha256(raw) == 'daf3d2cb6f1bbb7c8d1cfb5fc0db23afc304a622ebb24aa940228be691bcda2b'" + - "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'" + - "sha256(raw) == '0fea799ce00c7d6f26ccb52a2ecbe6b9605cfb9910f2a309a841caedf3b102d7'" + - "sha256(raw) == 'f0bf154d1e90491199b66ab95c1a4071669f3322c55f3643e36c20a9fb63eb56'" + - "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'" + - "sha256(raw) == '6aefc2b33e23f6e3c96de51d07f7123bd23ff951d67849a9bd32d446e76fb405'" + - "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'" + - "sha256(raw) == 'fa9154eaa3df4ff4464b21c45362fd1c7fb5e68108ab350c05f2ca9f60263988'" + - "sha256(raw) == 'c5e8476fc6938a36438a433b48e80213e2251b1d4b20a9469912d628a86198b3'" + - "sha256(raw) == '28560642fe99b3e611510f5559a12eb41112f3e2b3005432f7343cb79ff47a34'" + - "sha256(raw) == '7995c382263f8dbbfc37a9d62392aef8b4f89357d436b3dd94dea842f9574ecf'" + - "sha256(raw) == 'efea95720853e0cd2d9d4e93a64a726cfe17efea7b17af7c4ae6d3a6acae5b30'" + condition: or diff --git a/file/malware/hash/fakem-malware-hash.yaml b/file/malware/hash/fakem-malware-hash.yaml new file mode 100644 index 0000000000..2935d5bbe1 --- /dev/null +++ b/file/malware/hash/fakem-malware-hash.yaml @@ -0,0 +1,31 @@ +id: fakem-malware-hash +info: + name: FakeM_Generic Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects FakeM malware samples + reference: + - http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FakeM.yar + tags: malware,apt,fakem + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'" + - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'" + - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'" + - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'" + - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'" + - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'" + - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'" + - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'" + - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'" + - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'" + - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'" + condition: or diff --git a/file/malware/hash/flipflop-malware-hash.yaml b/file/malware/hash/flipflop-malware-hash.yaml new file mode 100644 index 0000000000..b466390428 --- /dev/null +++ b/file/malware/hash/flipflop-malware-hash.yaml @@ -0,0 +1,21 @@ +id: flipflop-ldr-malware-hash +info: + name: Flipflop Loader Hash - Detect + author: pussycat0x + severity: info + description: A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload. + reference: + - https://github.com/volexity/threat-intel/blob/main/2021/2021-05-27%20-%20Suspected%20APT29%20Operation%20Launches%20Election%20Fraud%20Themed%20Phishing%20Campaigns/indicators/yara.yar + tags: malware,apt29,cobaltstrike + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330'" + - "sha256(raw) == 'b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c'" + - "sha256(raw) == 'ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/furtim-malware-hash.yaml b/file/malware/hash/furtim-malware-hash.yaml new file mode 100644 index 0000000000..04c67fca6a --- /dev/null +++ b/file/malware/hash/furtim-malware-hash.yaml @@ -0,0 +1,22 @@ +id: furtim-malware-hash +info: + name: Furtim Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Furtim Parent Malware. + reference: + - https://sentinelone.com/blogs/sfg-furtims-parent/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_furtim.yar + tags: malware,apt,furtim + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'" + - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'" + condition: or diff --git a/file/malware/hash/gimmick-malware-hash.yaml b/file/malware/hash/gimmick-malware-hash.yaml new file mode 100644 index 0000000000..950936cdfe --- /dev/null +++ b/file/malware/hash/gimmick-malware-hash.yaml @@ -0,0 +1,18 @@ +id: gimmick-malware-hash +info: + name: GIMMICK Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects the macOS port of the GIMMICK malware. + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-03-22%20GIMMICK/indicators/yara.yar + tags: malware,stormcloud + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f'" \ No newline at end of file diff --git a/file/malware/hash/godzilla-webshell-hash.yaml b/file/malware/hash/godzilla-webshell-hash.yaml new file mode 100644 index 0000000000..a37489fa00 --- /dev/null +++ b/file/malware/hash/godzilla-webshell-hash.yaml @@ -0,0 +1,19 @@ +id: godzilla-webshell-hash +info: + name: Godzilla Webshell Hash - Detect + author: pussycat0x + severity: info + description: Detects the JSP implementation of the Godzilla Webshell. + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar + - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ + tags: malware,webshells + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe'" \ No newline at end of file diff --git a/file/malware/hash/greenbug-malware-hash.yaml b/file/malware/hash/greenbug-malware-hash.yaml new file mode 100644 index 0000000000..de608feb9b --- /dev/null +++ b/file/malware/hash/greenbug-malware-hash.yaml @@ -0,0 +1,32 @@ +id: greenbug-malware-hash +info: + name: Greenbug Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Malware from Greenbug Incident + reference: + - https://goo.gl/urp4CD + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Greenbug.yar + tags: malware,Greenbug + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'" + - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'" + - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'" + - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/ico-malware-hash.yaml b/file/malware/hash/ico-malware-hash.yaml new file mode 100644 index 0000000000..a8f42aa1a9 --- /dev/null +++ b/file/malware/hash/ico-malware-hash.yaml @@ -0,0 +1,24 @@ +id: ico-malware-hash +info: + name: ICO Malware Hash - Detect + author: pussycat0x + severity: info + description: Detection of malicious ICO files used in 3CX compromise + reference: + - https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/indicators/rules.yar + tags: malware,uta0040 + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c'" + - "sha256(raw) == 'a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67'" + - "sha256(raw) == '8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423'" + - "sha256(raw) == 'f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952'" + - "sha256(raw) == '7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896'" + - "sha256(raw) == 'aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868'" + condition: or diff --git a/file/malware/hash/industroyer-malware-hash.yaml b/file/malware/hash/industroyer-malware-hash.yaml new file mode 100644 index 0000000000..c1798d81c4 --- /dev/null +++ b/file/malware/hash/industroyer-malware-hash.yaml @@ -0,0 +1,28 @@ +id: industroyer-malware-hash +info: + name: Industroyer Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects Industroyer related malware + reference: + - https://goo.gl/x81cSy + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Industroyer.yar + tags: malware,industroyer,apt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'" + - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'" + - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'" + - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'" + - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'" + - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'" + - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'" + - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'" + - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'" + condition: or diff --git a/file/malware/hash/ironPanda-htran-malware-hash.yaml b/file/malware/hash/ironPanda-htran-malware-hash.yaml new file mode 100644 index 0000000000..b8cc9c0d46 --- /dev/null +++ b/file/malware/hash/ironPanda-htran-malware-hash.yaml @@ -0,0 +1,20 @@ +id: ironpanda-htran-malware-hash +info: + name: Iron Panda Malware Htran Hash - Detect + author: pussycat0x + severity: info + description: | + Iron Panda Malware Htran + reference: + - https://goo.gl/E4qia9 + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Irontiger.yar + tags: malware,ironpanda + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml new file mode 100644 index 0000000000..3bacd1aef4 --- /dev/null +++ b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml @@ -0,0 +1,20 @@ +id: ironpanda-dnstunclient-malware-hash +info: + name: Iron Panda malware DnsTunClient Hash - Detect + author: pussycat0x + severity: info + description: | + Iron Panda malware DnsTunClient - file named.exe + reference: + - https://goo.gl/E4qia9 + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Irontiger.yar + tags: malware,ironpanda + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-malware-hash.yaml b/file/malware/hash/ironpanda-malware-hash.yaml new file mode 100644 index 0000000000..dba97a70dd --- /dev/null +++ b/file/malware/hash/ironpanda-malware-hash.yaml @@ -0,0 +1,22 @@ +id: ironpanda-malware-hash +info: + name: Iron Panda Malware Hash - Detect + author: pussycat0x + severity: info + description: Iron Panda Malware + reference: + - https://goo.gl/E4qia9 + tags: malware,IronPanda + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'" + - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'" + - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'" + - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'" + condition: or diff --git a/file/malware/hash/locky-ransomware-hash.yaml b/file/malware/hash/locky-ransomware-hash.yaml new file mode 100644 index 0000000000..8092b89a1d --- /dev/null +++ b/file/malware/hash/locky-ransomware-hash.yaml @@ -0,0 +1,20 @@ +id: locky-ransomware-hash +info: + name: Locky Ransomware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Locky Ransomware (matches also on Win32/Kuluoz) + reference: + - https://goo.gl/qScSrE + - https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar + tags: ransomware,malware + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file diff --git a/file/malware/hash/minidionis-readerview-malware-hash.yaml b/file/malware/hash/minidionis-readerview-malware-hash.yaml new file mode 100644 index 0000000000..ff0bf7ff66 --- /dev/null +++ b/file/malware/hash/minidionis-readerview-malware-hash.yaml @@ -0,0 +1,26 @@ +id: minidionis-readerview-malware-hash +info: + name: MiniDionis Malware Hash - Detect + author: pussycat0x + severity: info + description: | + MiniDionis Malware - file readerView.exe / adobe.exe + reference: + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950 + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar + tags: malware,minidionis + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or diff --git a/file/malware/hash/minidionis-vbs-malware-hash.yaml b/file/malware/hash/minidionis-vbs-malware-hash.yaml new file mode 100644 index 0000000000..73d5179ee0 --- /dev/null +++ b/file/malware/hash/minidionis-vbs-malware-hash.yaml @@ -0,0 +1,19 @@ +id: minidionis-vbs-malware-hash +info: + name: MiniDionis VBS Dropped File Hash - Detect + author: pussycat0x + severity: info + description: Detect Dropped File - 1.vbs + reference: + - https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar + tags: malware,minidionis + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'" diff --git a/file/malware/hash/naikon-apt-malware-hash.yaml b/file/malware/hash/naikon-apt-malware-hash.yaml new file mode 100644 index 0000000000..c4fc21e7ab --- /dev/null +++ b/file/malware/hash/naikon-apt-malware-hash.yaml @@ -0,0 +1,19 @@ +id: naikon-apt-malware-hash +info: + name: Backdoor Naikon APT Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://goo.gl/7vHyvh +tags: malware,naikon + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'" + - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'" + condition: or diff --git a/file/malware/hash/neuron2-malware-hash.yaml b/file/malware/hash/neuron2-malware-hash.yaml new file mode 100644 index 0000000000..3af07aaeb5 --- /dev/null +++ b/file/malware/hash/neuron2-malware-hash.yaml @@ -0,0 +1,20 @@ +id: neuron2-malware-hash +info: + name: Neuron2 Loader Strings Turla APT loader Hash - Detect + author: pussycat0x + severity: info + reference: | + - https://www.ncsc.gov.uk/alerts/turla-group-malware + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_Neuron.yar + tags: malware,turla,neuron2,apt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'" + - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'" + condition: or diff --git a/file/malware/hash/oilrig-malware-hash.yaml b/file/malware/hash/oilrig-malware-hash.yaml new file mode 100644 index 0000000000..3317cdbd78 --- /dev/null +++ b/file/malware/hash/oilrig-malware-hash.yaml @@ -0,0 +1,45 @@ +id: oilrig-malware-hash +info: + name: OilRig Malware Campaign Gen1 Hash - Detect + author: pussycat0x + severity: info + description: | + Detects malware from OilRig Campaign + reference: + - https://goo.gl/QMRZ8K + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Oilrig.yar + tags: malware,oilrig,apt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'" + - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'" + - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'" + - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'" + - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'" + - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'" + - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'" + - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'" + - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'" + - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'" + - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'" + - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'" + - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'" + - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'" + - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'" + - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'" + - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'" + - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'" + - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'" + - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'" + - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'" + - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'" + - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'" + - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'" + - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'" + condition: or diff --git a/file/malware/hash/passcv-ntscan-malware-hash.yaml b/file/malware/hash/passcv-ntscan-malware-hash.yaml new file mode 100644 index 0000000000..424537662c --- /dev/null +++ b/file/malware/hash/passcv-ntscan-malware-hash.yaml @@ -0,0 +1,19 @@ +id: passcv-ntscan-malware-hash +info: + name: PassCV Sabre Tool NTScan Malware Hash - Detect + author: pussycat0x + severity: info + description: PassCV Malware mentioned in Cylance Report + reference: + - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar + tags: malware,passcv + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'" \ No newline at end of file diff --git a/file/malware/hash/passcv-sabre-malware-hash.yaml b/file/malware/hash/passcv-sabre-malware-hash.yaml new file mode 100644 index 0000000000..5fddb23e59 --- /dev/null +++ b/file/malware/hash/passcv-sabre-malware-hash.yaml @@ -0,0 +1,29 @@ +id: passcv-sabre-malware-hash +info: + name: PassCV Sabre Malware Hash - Detect + author: pussycat0x + severity: info + description: | + PassCV Malware mentioned in Cylance Report + reference: + - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar + tags: malware,passcv + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'" + - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'" + - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'" + - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'" + - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'" + - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'" + - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'" + - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'" + - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'" + condition: or diff --git a/file/malware/hash/passcv-signingcert-malware-hash.yaml b/file/malware/hash/passcv-signingcert-malware-hash.yaml new file mode 100644 index 0000000000..0557ab8fe3 --- /dev/null +++ b/file/malware/hash/passcv-signingcert-malware-hash.yaml @@ -0,0 +1,20 @@ +id: passcv-signingcert-malware-hash +info: + name: PassCV Sabre Malware Signing Cert Hash - Detect + author: pussycat0x + severity: info + description: | + PassCV Malware mentioned in Cylance Report + reference: + - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar + tags: malware,passcv + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file diff --git a/file/malware/hash/petya-ransomware-hash.yaml b/file/malware/hash/petya-ransomware-hash.yaml new file mode 100644 index 0000000000..54648fae7f --- /dev/null +++ b/file/malware/hash/petya-ransomware-hash.yaml @@ -0,0 +1,19 @@ +id: petya-ransomware-hash +info: + name: Petya Ransomware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Petya Ransomware. + reference: + - http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html +tags: ransomware,malware + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'" diff --git a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml new file mode 100644 index 0000000000..237d217ba2 --- /dev/null +++ b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml @@ -0,0 +1,27 @@ +id: poseidongroup-maldoc-malware-hash +info: + name: Poseidon Group Malicious Word Document Hash - Detect + author: pussycat0x + severity: info + description: Detects Poseidon Group - Malicious Word Document + reference: + - https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Poseidon_Group.yar + tags: malware,poseidon + +file: + - extensions: + - doc + - docx + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'" + - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'" + - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'" + - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'" + - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'" + - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'" + - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'" + condition: or diff --git a/file/malware/hash/poseidongroup-malware-hash.yaml b/file/malware/hash/poseidongroup-malware-hash.yaml new file mode 100644 index 0000000000..9db84bd8ec --- /dev/null +++ b/file/malware/hash/poseidongroup-malware-hash.yaml @@ -0,0 +1,26 @@ +id: poseidongroup-malware-hash +info: + name: Poseidon Group Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects Poseidon Group Malware + reference: + - https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Poseidon_Group.yar + tags: malware + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'" + - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'" + - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'" + - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'" + - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'" + - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'" + - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'" + condition: or diff --git a/file/malware/hash/powerstar-malware-hash.yaml b/file/malware/hash/powerstar-malware-hash.yaml new file mode 100644 index 0000000000..9a09056a27 --- /dev/null +++ b/file/malware/hash/powerstar-malware-hash.yaml @@ -0,0 +1,22 @@ +id: powerstar-malware-hash +info: + name: PowerStar Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects the batch script used to persist PowerStar via Startup. + reference: + - https://github.com/volexity/threat-intel/blob/main/2023/2023-06-28%20POWERSTAR/indicators/rules.yar + tags: malware,charmingkitten + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '9777f106ac62829cd3cfdbc156100fe892cfc4038f4c29a076e623dc40a60872'" + - "sha256(raw) == '977cf5cc1d0c61b7364edcf397e5c67d910fac628c6c9a41cf9c73b3720ce67f'" + - "sha256(raw) == 'b79d28fe5e3c988bb5aadb12ce442d53291dbb9ede0c7d9d64eec078beba5585'" + - "sha256(raw) == 'de99c4fa14d99af791826a170b57a70b8265fee61c6b6278d3fe0aad98e85460'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/purplewave-malware-hash.yaml b/file/malware/hash/purplewave-malware-hash.yaml new file mode 100644 index 0000000000..f9bbc2d775 --- /dev/null +++ b/file/malware/hash/purplewave-malware-hash.yaml @@ -0,0 +1,27 @@ +id: purplewave-malware-hash +info: + name: PurpleWave v1.0 Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://twitter.com/3xp0rtblog/status/1289125217751781376 + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PurpleWave.yar +tags: malware,apt,purplewave + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" + - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" + - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" + - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" + - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" + - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" + - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" + - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" + - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" + condition: or diff --git a/file/malware/hash/red-leaves-malware-hash.yaml b/file/malware/hash/red-leaves-malware-hash.yaml new file mode 100644 index 0000000000..56146d3ac9 --- /dev/null +++ b/file/malware/hash/red-leaves-malware-hash.yaml @@ -0,0 +1,20 @@ +id: red-leaves-malware-hash +info: + name: Red Leaves Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Red Leaves malware, related to APT10 + reference: + - https://www.virustotal.com/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_RedLeaves.yar + tags: malware,apt,red-leaves + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file diff --git a/file/malware/hash/regeorg-webshell-hash.yaml b/file/malware/hash/regeorg-webshell-hash.yaml new file mode 100644 index 0000000000..a3abb6c429 --- /dev/null +++ b/file/malware/hash/regeorg-webshell-hash.yaml @@ -0,0 +1,19 @@ +id: regeorg-webshell-hash +info: + name: ReGeorg Webshell Hash - Detect + author: pussycat0x + severity: info + description: Detects the reGeorg webshells' JSP version. + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar + - https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp + tags: malware,webshells + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'f9b20324f4239a8c82042d8207e35776d6777b6305974964cd9ccc09d431b845'" diff --git a/file/malware/hash/revil-ransomware-hash.yaml b/file/malware/hash/revil-ransomware-hash.yaml new file mode 100644 index 0000000000..bbeb49e3a9 --- /dev/null +++ b/file/malware/hash/revil-ransomware-hash.yaml @@ -0,0 +1,23 @@ +id: revil-ransomware-hash +info: + name: Revil Ransomware Hash - Detect + author: pussycat0x + severity: info + description: + Detect Revil Ransomware. + reference: + - https://angle.ankura.com/post/102hcny/revix-linux-ransomware + - https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Revix.yar +tags: ransomware,malware + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'" + - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'" + - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'" + condition: or diff --git a/file/malware/hash/rokrat-malware-hash.yaml b/file/malware/hash/rokrat-malware-hash.yaml new file mode 100644 index 0000000000..24e6390883 --- /dev/null +++ b/file/malware/hash/rokrat-malware-hash.yaml @@ -0,0 +1,20 @@ +id: rokrat-malware-hash +info: + name: ROKRAT Loader Malware Hash- Detect + author: pussycat0x + severity: info + description: | + Designed to catch loader observed used with ROKRAT malware + reference: + - https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_DPRK_ROKRAT.yar + tags: malware,taudprkapt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'" \ No newline at end of file diff --git a/file/malware/hash/sauron-malware-hash.yaml b/file/malware/hash/sauron-malware-hash.yaml new file mode 100644 index 0000000000..00d6694701 --- /dev/null +++ b/file/malware/hash/sauron-malware-hash.yaml @@ -0,0 +1,26 @@ +id: sauron-malware-hash +info: + name: Sauron Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects malware from Project Sauron APT + reference: + - https://goo.gl/eFoP4A + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sauron_extras.yar + tags: malware,apt,sauron + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'" + - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'" + - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'" + - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'" + - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'" + - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'" + - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'" + condition: or diff --git a/file/malware/hash/seaduke-malware-hash.yaml b/file/malware/hash/seaduke-malware-hash.yaml new file mode 100644 index 0000000000..ea230ee435 --- /dev/null +++ b/file/malware/hash/seaduke-malware-hash.yaml @@ -0,0 +1,18 @@ +id: seaduke-malware-hash +info: + name: SeaDuke Malware Hash - Detect + author: pussycat0x + severity: info + reference: | + http://goo.gl/MJ0c2M + https://github.com/Yara-Rules/rules/blob/master/malware/APT_Seaduke.yar + tags: malware,seaduke + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file diff --git a/file/malware/hash/sfx1-malware-hash.yaml b/file/malware/hash/sfx1-malware-hash.yaml new file mode 100644 index 0000000000..2644b8af66 --- /dev/null +++ b/file/malware/hash/sfx1-malware-hash.yaml @@ -0,0 +1,21 @@ +id: sfx1-malware-hash +info: + name: Malicious SFX1 Hash - Detect + author: pussycat0x + severity: info + description: SFX with voicemail content + reference: + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950 + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar + tags: malware,sfx1 + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'" + - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'" + condition: or diff --git a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml new file mode 100644 index 0000000000..4d81949cbe --- /dev/null +++ b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml @@ -0,0 +1,21 @@ +id: sfxrar-acrotray-malware-hash +info: + name: SFXRAR Acrotray Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar + - https://www.f-secure.com/weblog/archives/00002822.html + tags: malware,apt,sfx + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'" + - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'" + - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/sharpext-malware-hash.yaml b/file/malware/hash/sharpext-malware-hash.yaml new file mode 100644 index 0000000000..858ece9035 --- /dev/null +++ b/file/malware/hash/sharpext-malware-hash.yaml @@ -0,0 +1,21 @@ +id: sharpext-malware-hash +info: + name: Sharpext Malware Hash - Detect + author: pussycat0x + severity: info + description: A malicious Chrome browser extension used by the SharpTongue threat actor to steal mail data from a victim. + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/yara.yar + tags: malware,sharptongue + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '1c9664513fe226beb53268b58b11dacc35b80a12c50c22b76382304badf4eb00'" + - "sha256(raw) == '6025c66c2eaae30c0349731beb8a95f8a5ba1180c5481e9a49d474f4e1bb76a4'" + - "sha256(raw) == '6594b75939bcdab4253172f0fa9066c8aee2fa4911bd5a03421aeb7edcd9c90c'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/sofacy-Winexe-malware-hash.yaml b/file/malware/hash/sofacy-Winexe-malware-hash.yaml new file mode 100644 index 0000000000..db4db62626 --- /dev/null +++ b/file/malware/hash/sofacy-Winexe-malware-hash.yaml @@ -0,0 +1,20 @@ +id: sofacy-winexe-malware-hash +info: + name: Sofacy Group Winexe Tool Hash - Detect + author: pussycat0x + severity: info + description: | + Winexe tool used by Sofacy group in Bundestag APT. + reference: | + - http://dokumente.linksfraktion.de/inhalt/report-orig.pdf + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Bundestag.yar + tags: malware,sofacy + +file: + - extensions: + - exe + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'" diff --git a/file/malware/hash/sofacy-bundestag-malware-hash.yaml b/file/malware/hash/sofacy-bundestag-malware-hash.yaml new file mode 100644 index 0000000000..30a09f0a27 --- /dev/null +++ b/file/malware/hash/sofacy-bundestag-malware-hash.yaml @@ -0,0 +1,22 @@ +id: sofacy-bundestag-malware-hash +info: + name: Sofacy Group Malware - Detect + author: pussycat0x + severity: info + description: | + Sofacy Malware - German Bundestag + reference: | + - http://dokumente.linksfraktion.de/inhalt/report-orig.pdf + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Bundestag.yar + tags: malware,sofacy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" + - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" + condition: or diff --git a/file/malware/hash/sofacy-fybis-malware-hash.yaml b/file/malware/hash/sofacy-fybis-malware-hash.yaml new file mode 100644 index 0000000000..16b7ef433c --- /dev/null +++ b/file/malware/hash/sofacy-fybis-malware-hash.yaml @@ -0,0 +1,21 @@ +id: sofacy-fybis-malware-hash +info: + name: Sofacy Fybis Linux Backdoor Hash - Detect + author: pussycat0x + severity: info + reference: | + - http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Fysbis.yar + tags: malware,sofacy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'" + - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'" + - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'" + condition: or diff --git a/file/malware/hash/tidepool-malware-hash.yaml b/file/malware/hash/tidepool-malware-hash.yaml new file mode 100644 index 0000000000..ca7773b2b2 --- /dev/null +++ b/file/malware/hash/tidepool-malware-hash.yaml @@ -0,0 +1,24 @@ +id: tidepool-malware-hash +info: + name: TidePool Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks + reference: + - http://goo.gl/m2CXWR + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Ke3Chang_TidePool.yar + tags: malware,tidepool + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'" + - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'" + - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'" + - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'" + condition: or diff --git a/file/malware/hash/turla-malware-hash.yaml b/file/malware/hash/turla-malware-hash.yaml new file mode 100644 index 0000000000..4ec1736272 --- /dev/null +++ b/file/malware/hash/turla-malware-hash.yaml @@ -0,0 +1,29 @@ +id: turla-malware-hash +info: + name: Turla APT Malware - Detect + author: pussycat0x + severity: info + description: Detects Turla malware based on sample used in the RUAG APT case + reference: | + https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case + https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar + tags: malware,turla,apt,ruag + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" + - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" + - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" + - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" + - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" + - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" + - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" + - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" + - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" + - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/unit78020-malware-hash.yaml b/file/malware/hash/unit78020-malware-hash.yaml new file mode 100644 index 0000000000..2eca3c4596 --- /dev/null +++ b/file/malware/hash/unit78020-malware-hash.yaml @@ -0,0 +1,26 @@ +id: unit78020-malware-hash +info: + name: Unit 78020 Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects malware by Chinese APT PLA Unit 78020 - Generic Rule + reference: | + http://threatconnect.com/camerashy/?utm_campaign=CameraShy + https://github.com/Yara-Rules/rules/blob/master/malware/APT_Unit78020.yar + tags: malware,unit78020 + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'" + - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'" + - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'" + - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'" + - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'" + - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'" + condition: or diff --git a/file/malware/hash/wildneutron-malware-hash.yaml b/file/malware/hash/wildneutron-malware-hash.yaml new file mode 100644 index 0000000000..3fa705a81e --- /dev/null +++ b/file/malware/hash/wildneutron-malware-hash.yaml @@ -0,0 +1,31 @@ +id: wildneutron-malware-hash +info: + name: WildNeutron APT Sample Hash - Detect + author: pussycat0x + severity: info + description: | + Wild Neutron APT Sample Rule based on file hash + reference: | + - https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_WildNeutron.yar + tags: malware,wildneutron,apt + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" + - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" + - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" + - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" + - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" + - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" + - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" + condition: or \ No newline at end of file