From 93fb2c7ba4ad2ff8b37534b2fa0958a420bf64f1 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 19 Jun 2024 15:43:35 +0530 Subject: [PATCH 1/8] update --- file/malware/hash/applejeus-malware.yaml | 23 ++++++++++++ file/malware/hash/avburner-malware.yaml | 18 ++++++++++ file/malware/hash/backwash-malware.yaml | 27 ++++++++++++++ file/malware/hash/bluelight-malware.yaml | 21 +++++++++++ .../malware/hash/charmingcypress-malware.yaml | 17 +++++++++ file/malware/hash/disgomoji-malware.yaml | 18 ++++++++++ file/malware/hash/evilbamboo-malware.yaml | 36 +++++++++++++++++++ file/malware/hash/flipflop-malware.yaml | 21 +++++++++++ file/malware/hash/gimmick-malware.yaml | 18 ++++++++++ file/malware/hash/godzilla-webshell.yaml | 19 ++++++++++ file/malware/hash/ico-malware.yaml | 26 ++++++++++++++ file/malware/hash/powerstar-malware.yaml | 22 ++++++++++++ file/malware/hash/regeorg-webshell.yaml | 19 ++++++++++ file/malware/hash/rokrat-malware.yaml | 22 ++++++++++++ file/malware/hash/sharpext-malware.yaml | 21 +++++++++++ 15 files changed, 328 insertions(+) create mode 100644 file/malware/hash/applejeus-malware.yaml create mode 100644 file/malware/hash/avburner-malware.yaml create mode 100644 file/malware/hash/backwash-malware.yaml create mode 100644 file/malware/hash/bluelight-malware.yaml create mode 100644 file/malware/hash/charmingcypress-malware.yaml create mode 100644 file/malware/hash/disgomoji-malware.yaml create mode 100644 file/malware/hash/evilbamboo-malware.yaml create mode 100644 file/malware/hash/flipflop-malware.yaml create mode 100644 file/malware/hash/gimmick-malware.yaml create mode 100644 file/malware/hash/godzilla-webshell.yaml create mode 100644 file/malware/hash/ico-malware.yaml create mode 100644 file/malware/hash/powerstar-malware.yaml create mode 100644 file/malware/hash/regeorg-webshell.yaml create mode 100644 file/malware/hash/rokrat-malware.yaml create mode 100644 file/malware/hash/sharpext-malware.yaml diff --git a/file/malware/hash/applejeus-malware.yaml b/file/malware/hash/applejeus-malware.yaml new file mode 100644 index 0000000000..28ea397f81 --- /dev/null +++ b/file/malware/hash/applejeus-malware.yaml @@ -0,0 +1,23 @@ +id: applejeus-malware +info: + name: AppleJeus Malware - Detect + author: pussycat0x + severity: info + description: Detects AppleJeus DLL samples + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/yara.yar + tags: malware,lazarus + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629'" + - "sha256(raw) == '9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78'" + - "sha256(raw) == 'a0db8f8f13a27df1eacbc01505f311f6b14cf9b84fbc7e84cb764a13f001dbbb'" + - "sha256(raw) == 'a241b6611afba8bb1de69044115483adb74f66ab4a80f7423e13c652422cb379'" + - "sha256(raw) == '17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/avburner-malware.yaml b/file/malware/hash/avburner-malware.yaml new file mode 100644 index 0000000000..6940444fbb --- /dev/null +++ b/file/malware/hash/avburner-malware.yaml @@ -0,0 +1,18 @@ +id: avburner-malware +info: + name: AVBurner Malware - Detect + author: pussycat0x + severity: info + description: Detects AVBurner based on a combination of API calls used, hard-coded strings, and bytecode patterns + reference: + - https://github.com/volexity/threat-intel/blob/main/2023/2023-03-07%20AVBurner/yara.yar + tags: malware,snakecharmer + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '4b1b1a1293ccd2c0fd51075de9376ebb55ab64972da785153fcb0a4eb523a5eb'" \ No newline at end of file diff --git a/file/malware/hash/backwash-malware.yaml b/file/malware/hash/backwash-malware.yaml new file mode 100644 index 0000000000..2ab1e9ef56 --- /dev/null +++ b/file/malware/hash/backwash-malware.yaml @@ -0,0 +1,27 @@ +id: backwash-malware +info: + name: Backwash Malware - Detect + author: pussycat0x + severity: info + description: CPP loader for the Backwash malware. + reference: + - https://github.com/volexity/threat-intel/blob/main/2021/2021-12-06%20-%20XEGroup/indicators/yara.yar + - https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/ + tags: malware,xegroup + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '0cf93de64aa4dba6cec99aa5989fc9c5049bc46ca5f3cb327b49d62f3646a852'" + - "sha256(raw) == '21683e02e11c166d0cf616ff9a1a4405598db7f4adfc87b205082ae94f83c742'" + - "sha256(raw) == '6f44a9c13459533a1f3e0b0e698820611a18113c851f763797090b8be64fd9d5'" + - "sha256(raw) == '92f9593cfa0a28951cae36755d54de63631377f1b954a4cb0474fa0b6193c537'" + - "sha256(raw) == '815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f'" + - "sha256(raw) == '72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911'" + - "sha256(raw) == '4d913ecb91bf32fd828d2153342f5462ae6b84c1a5f256107efc88747f7ba16c'" + - "sha256(raw) == '98e39573a3d355d7fdf3439d9418fdbf4e42c2e03051b5313d5c84f3df485627'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/bluelight-malware.yaml b/file/malware/hash/bluelight-malware.yaml new file mode 100644 index 0000000000..4f332d37ab --- /dev/null +++ b/file/malware/hash/bluelight-malware.yaml @@ -0,0 +1,21 @@ +id: bluelight-malware +info: + name: bluelight Malware - Detect + author: pussycat0x + severity: info + description: North Korean origin malware which uses a custom Google App for C2 communications. + reference: + - https://github.com/volexity/threat-intel/blob/main/2021/2021-08-17%20-%20InkySquid%20Part%201/indicators/yara.yar + tags: malware,inkysquid + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed'" + - "sha256(raw) == '7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d'" + - "sha256(raw) == '94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/charmingcypress-malware.yaml b/file/malware/hash/charmingcypress-malware.yaml new file mode 100644 index 0000000000..8bf7abed98 --- /dev/null +++ b/file/malware/hash/charmingcypress-malware.yaml @@ -0,0 +1,17 @@ +id: charmingcypress-malware +info: + name: CharmingCypress Malware - Detect + author: pussycat0x + severity: info + reference: + - https://github.com/volexity/threat-intel/blob/main/2024/2024-02-13%20CharmingCypress/rules.yar + tags: malware + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'fdc5d6caaaa4fb14e62bd42544e8bb8e9b02220e687d5936a6838a7115334c51'" \ No newline at end of file diff --git a/file/malware/hash/disgomoji-malware.yaml b/file/malware/hash/disgomoji-malware.yaml new file mode 100644 index 0000000000..422d33e3e0 --- /dev/null +++ b/file/malware/hash/disgomoji-malware.yaml @@ -0,0 +1,18 @@ +id: disgomoji-malware +info: + name: DISGOMOJI Malware - Detect + author: pussycat0x + severity: info + description: Detects DISGOMOJI modules based on strings in the ELF. + reference: + - https://github.com/volexity/threat-intel/blob/main/2024/2024-06-13%20DISGOMOJI/indicators/rules.yar + tags: malware + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2abaae4f6794131108adf5b42e09ee5ce24769431a0e154feabe6052cfe70bf3'" \ No newline at end of file diff --git a/file/malware/hash/evilbamboo-malware.yaml b/file/malware/hash/evilbamboo-malware.yaml new file mode 100644 index 0000000000..8d833598eb --- /dev/null +++ b/file/malware/hash/evilbamboo-malware.yaml @@ -0,0 +1,36 @@ +id: evilbamboo-malware +info: + name: EvilBamboo Malware - Detect + author: pussycat0x + severity: info + description: | + Detection of the BADSOLAR and BADBAZAAR data collection files, which are shared by both malware families. + reference: + - https://github.com/volexity/threat-intel/blob/main/2023/2023-09-22%20EvilBamboo/indicators/rules.yar + - https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine + tags: malware,evilbamboo + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'" + - "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'" + - "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'" + - "sha256(raw) == 'f7132750db2a8ca8eb9e9e5a32377aa506395d02bacbb918f835041f5f035c4c'" + - "sha256(raw) == 'daf3d2cb6f1bbb7c8d1cfb5fc0db23afc304a622ebb24aa940228be691bcda2b'" + - "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'" + - "sha256(raw) == '0fea799ce00c7d6f26ccb52a2ecbe6b9605cfb9910f2a309a841caedf3b102d7'" + - "sha256(raw) == 'f0bf154d1e90491199b66ab95c1a4071669f3322c55f3643e36c20a9fb63eb56'" + - "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'" + - "sha256(raw) == '6aefc2b33e23f6e3c96de51d07f7123bd23ff951d67849a9bd32d446e76fb405'" + - "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'" + - "sha256(raw) == 'fa9154eaa3df4ff4464b21c45362fd1c7fb5e68108ab350c05f2ca9f60263988'" + - "sha256(raw) == 'c5e8476fc6938a36438a433b48e80213e2251b1d4b20a9469912d628a86198b3'" + - "sha256(raw) == '28560642fe99b3e611510f5559a12eb41112f3e2b3005432f7343cb79ff47a34'" + - "sha256(raw) == '7995c382263f8dbbfc37a9d62392aef8b4f89357d436b3dd94dea842f9574ecf'" + - "sha256(raw) == 'efea95720853e0cd2d9d4e93a64a726cfe17efea7b17af7c4ae6d3a6acae5b30'" + condition: or diff --git a/file/malware/hash/flipflop-malware.yaml b/file/malware/hash/flipflop-malware.yaml new file mode 100644 index 0000000000..a59d2b88a0 --- /dev/null +++ b/file/malware/hash/flipflop-malware.yaml @@ -0,0 +1,21 @@ +id: flipflop-ldr-malware +info: + name: Flipflop Loader - Detect + author: pussycat0x + severity: info + description: A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload. + reference: + - https://github.com/volexity/threat-intel/blob/main/2021/2021-05-27%20-%20Suspected%20APT29%20Operation%20Launches%20Election%20Fraud%20Themed%20Phishing%20Campaigns/indicators/yara.yar + tags: malware,apt29,cobaltstrike + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330'" + - "sha256(raw) == 'b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c'" + - "sha256(raw) == 'ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/gimmick-malware.yaml b/file/malware/hash/gimmick-malware.yaml new file mode 100644 index 0000000000..2a4065fec8 --- /dev/null +++ b/file/malware/hash/gimmick-malware.yaml @@ -0,0 +1,18 @@ +id: gimmick-malware +info: + name: GIMMICK Malware - Detect + author: pussycat0x + severity: info + description: Detects the macOS port of the GIMMICK malware. + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-03-22%20GIMMICK/indicators/yara.yar + tags: malware,stormcloud + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f'" \ No newline at end of file diff --git a/file/malware/hash/godzilla-webshell.yaml b/file/malware/hash/godzilla-webshell.yaml new file mode 100644 index 0000000000..3866d10a8c --- /dev/null +++ b/file/malware/hash/godzilla-webshell.yaml @@ -0,0 +1,19 @@ +id: godzilla-webshell +info: + name: Godzilla Webshell - Detect + author: pussycat0x + severity: info + description: Detects the JSP implementation of the Godzilla Webshell. + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar + - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ + tags: malware,webshells + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe'" \ No newline at end of file diff --git a/file/malware/hash/ico-malware.yaml b/file/malware/hash/ico-malware.yaml new file mode 100644 index 0000000000..0e9dfa61f4 --- /dev/null +++ b/file/malware/hash/ico-malware.yaml @@ -0,0 +1,26 @@ +id: ico-malware +info: + name: ICO Malware - Detect + author: pussycat0x + severity: info + description: Detection of malicious ICO files used in 3CX compromise + reference: + - https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/indicators/rules.yar + tags: malware,UTA0040 + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c'" + - "sha256(raw) == 'a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67'" + - "sha256(raw) == '8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423'" + - "sha256(raw) == 'f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952'" + - "sha256(raw) == '7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896'" + - "sha256(raw) == 'aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868'" + condition: or + + diff --git a/file/malware/hash/powerstar-malware.yaml b/file/malware/hash/powerstar-malware.yaml new file mode 100644 index 0000000000..8efae04aec --- /dev/null +++ b/file/malware/hash/powerstar-malware.yaml @@ -0,0 +1,22 @@ +id: powerstar-malware +info: + name: PowerStar Malware - Detect + author: pussycat0x + severity: info + description: Detects the batch script used to persist PowerStar via Startup. + reference: + - https://github.com/volexity/threat-intel/blob/main/2023/2023-06-28%20POWERSTAR/indicators/rules.yar + tags: malware,charmingkitten + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '9777f106ac62829cd3cfdbc156100fe892cfc4038f4c29a076e623dc40a60872'" + - "sha256(raw) == '977cf5cc1d0c61b7364edcf397e5c67d910fac628c6c9a41cf9c73b3720ce67f'" + - "sha256(raw) == 'b79d28fe5e3c988bb5aadb12ce442d53291dbb9ede0c7d9d64eec078beba5585'" + - "sha256(raw) == 'de99c4fa14d99af791826a170b57a70b8265fee61c6b6278d3fe0aad98e85460'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/regeorg-webshell.yaml b/file/malware/hash/regeorg-webshell.yaml new file mode 100644 index 0000000000..f4520f0c64 --- /dev/null +++ b/file/malware/hash/regeorg-webshell.yaml @@ -0,0 +1,19 @@ +id: regeorg-webshel +info: + name: ReGeorg Webshell - Detect + author: pussycat0x + severity: info + description: Detects the reGeorg webshells' JSP version. + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar + - https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp + tags: malware,webshells + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'f9b20324f4239a8c82042d8207e35776d6777b6305974964cd9ccc09d431b845'" diff --git a/file/malware/hash/rokrat-malware.yaml b/file/malware/hash/rokrat-malware.yaml new file mode 100644 index 0000000000..0f5cd8f94e --- /dev/null +++ b/file/malware/hash/rokrat-malware.yaml @@ -0,0 +1,22 @@ +id: rokrat-malware +info: + name: Rokrat Malware - Detect + author: pussycat0x + severity: info + description: Ruby loader seen loading the ROKRAT malware family. + reference: + - https://github.com/volexity/threat-intel/blob/main/2021/2021-08-24%20-%20InkySquid%20Part%202/indicators/yara.yar + tags: malware,inkysquid + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '5bc52f6c1c0d0131cee30b4f192ce738ad70bcb56e84180f464a5125d1a784b2'" + - "sha256(raw) == '80269413be6ad51b8b19631b2f5559c9572842e789bbce031babe6e879d2e120'" + - "sha256(raw) == '6a452d088d60113f623b852f33f8f9acf0d4197af29781f889613fed38f57855'" + - "sha256(raw) == '85cd5c3bb028fe6931130ccd5d0b0c535c01ce2bcda660a3b72581a1a5382904'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/sharpext-malware.yaml b/file/malware/hash/sharpext-malware.yaml new file mode 100644 index 0000000000..c87c46c689 --- /dev/null +++ b/file/malware/hash/sharpext-malware.yaml @@ -0,0 +1,21 @@ +id: sharpext-malware +info: + name: Sharpext Malware - Detect + author: pussycat0x + severity: info + description: A malicious Chrome browser extension used by the SharpTongue threat actor to steal mail data from a victim. + reference: + - https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/yara.yar + tags: malware,sharptongue + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '1c9664513fe226beb53268b58b11dacc35b80a12c50c22b76382304badf4eb00'" + - "sha256(raw) == '6025c66c2eaae30c0349731beb8a95f8a5ba1180c5481e9a49d474f4e1bb76a4'" + - "sha256(raw) == '6594b75939bcdab4253172f0fa9066c8aee2fa4911bd5a03421aeb7edcd9c90c'" + condition: or \ No newline at end of file From fab0724d757b8703ad9b6dc5ea9798a048a3475c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 20 Jun 2024 09:41:25 +0530 Subject: [PATCH 2/8] trail space fix --- file/malware/hash/ico-malware.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/file/malware/hash/ico-malware.yaml b/file/malware/hash/ico-malware.yaml index 0e9dfa61f4..0dd5dd4b2a 100644 --- a/file/malware/hash/ico-malware.yaml +++ b/file/malware/hash/ico-malware.yaml @@ -22,5 +22,3 @@ file: - "sha256(raw) == '7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896'" - "sha256(raw) == 'aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868'" condition: or - - From 11cdad400290d8c4c73753bc01610ed268594351 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 20 Jun 2024 15:12:34 +0530 Subject: [PATCH 3/8] New - Templates --- .../hash/anthem-deeppanda-malware-hash.yaml | 21 +++++++++ ...lware.yaml => applejeus-malware-hash.yaml} | 4 +- ...alware.yaml => avburner-malware-hash.yaml} | 4 +- ...alware.yaml => backwash-malware-hash.yaml} | 7 +-- .../hash/blackenergy-driver-amdide-hash.yaml | 24 ++++++++++ .../hash/blackenergy-driver-malware-hash.yaml | 26 +++++++++++ .../blackenergy-killdisk-malware-hash.yaml | 22 +++++++++ .../hash/blackenergy-ssh-malware-hash.yaml | 18 ++++++++ .../hash/blackenergy-vbs-malware-hash.yaml | 20 +++++++++ ...lware.yaml => bluelight-malware-hash.yaml} | 4 +- .../hash/bluetermite-emdivi-malware-hash.yaml | 33 ++++++++++++++ .../hash/bluetermite-emdivi-sfx-hash.yaml | 20 +++++++++ ...yaml => charmingcypress-malware-hash.yaml} | 6 +-- .../hash/cheshirecat-malware-hash.yaml | 22 +++++++++ file/malware/hash/cloudduke-malware-hash.yaml | 33 ++++++++++++++ file/malware/hash/codoso-gh0st-malware.yaml | 22 +++++++++ file/malware/hash/codoso-malware-hash.yaml | 26 +++++++++++ .../malware/hash/codoso-pgv-malware-hash.yaml | 23 ++++++++++ .../hash/codoso-plugx-malware-hash.yaml | 24 ++++++++++ ...lware.yaml => disgomoji-malware-hash.yaml} | 6 +-- file/malware/hash/dubnium-malware-hash.yaml | 43 ++++++++++++++++++ .../hash/dubnium-sshopenssl-malware-hash.yaml | 25 +++++++++++ file/malware/hash/emissary-malware-hash.yaml | 32 +++++++++++++ ...ware.yaml => evilbamboo-malware-hash.yaml} | 4 +- file/malware/hash/fakem-malware-hash.yaml | 30 +++++++++++++ ...alware.yaml => flipflop-malware-hash.yaml} | 4 +- file/malware/hash/furtim-malware-hash.yaml | 22 +++++++++ ...malware.yaml => gimmick-malware-hash.yaml} | 4 +- ...shell.yaml => godzilla-webshell-hash.yaml} | 4 +- file/malware/hash/greenbug-malware-hash.yaml | 32 +++++++++++++ ...ico-malware.yaml => ico-malware-hash.yaml} | 6 +-- .../hash/industroyer-malware-hash.yaml | 28 ++++++++++++ .../hash/ironPanda-htran-malware-hash.yaml | 21 +++++++++ .../ironpanda-dnstunclient-malware-hash.yaml | 21 +++++++++ file/malware/hash/ironpanda-malware-hash.yaml | 22 +++++++++ file/malware/hash/locky-ransomware-hash.yaml | 21 +++++++++ .../minidionis-readerview-malware-hash.yaml | 26 +++++++++++ .../hash/minidionis-vbs-malware-hash.yaml | 19 ++++++++ .../malware/hash/naikon-apt-malware-hash.yaml | 19 ++++++++ file/malware/hash/neuron2-malware-hash.yaml | 20 +++++++++ file/malware/hash/oilrig-malware-hash.yaml | 45 +++++++++++++++++++ .../hash/passcv-ntscan-malware-hash.yaml | 19 ++++++++ .../hash/passcv-sabre-malware-hash.yaml | 29 ++++++++++++ .../hash/passcv-signingcert-malware-hash.yaml | 21 +++++++++ file/malware/hash/petya-ransomware-hash.yaml | 19 ++++++++ .../poseidongroup-maldoc-malware-hash.yaml | 27 +++++++++++ .../hash/poseidongroup-malware-hash.yaml | 26 +++++++++++ ...lware.yaml => powerstar-malware-hash.yaml} | 4 +- .../malware/hash/purplewave-malware-hash.yaml | 27 +++++++++++ .../malware/hash/red-leaves-malware-hash.yaml | 21 +++++++++ ...bshell.yaml => regeorg-webshell-hash.yaml} | 4 +- file/malware/hash/revil-ransomware-hash.yaml | 22 +++++++++ file/malware/hash/rokrat-malware-hash.yaml | 20 +++++++++ file/malware/hash/rokrat-malware.yaml | 22 --------- file/malware/hash/sauron-malware-hash.yaml | 26 +++++++++++ file/malware/hash/seaduke-malware-hash.yaml | 19 ++++++++ file/malware/hash/sfx1-malware-hash.yaml | 21 +++++++++ .../hash/sfxrar-acrotray-malware-hash.yaml | 21 +++++++++ ...alware.yaml => sharpext-malware-hash.yaml} | 4 +- .../hash/sofacy-Winexe-malware-hash.yaml | 20 +++++++++ .../hash/sofacy-bundestag-malware-hash.yaml | 22 +++++++++ .../hash/sofacy-fybis-malware-hash.yaml | 21 +++++++++ file/malware/hash/tidepool-malware-hash.yaml | 24 ++++++++++ file/malware/hash/turla-malware-hash.yaml | 29 ++++++++++++ file/malware/hash/unit78020-malware-hash.yaml | 26 +++++++++++ .../hash/wildneutron-malware-hash.yaml | 31 +++++++++++++ 66 files changed, 1284 insertions(+), 54 deletions(-) create mode 100644 file/malware/hash/anthem-deeppanda-malware-hash.yaml rename file/malware/hash/{applejeus-malware.yaml => applejeus-malware-hash.yaml} (90%) rename file/malware/hash/{avburner-malware.yaml => avburner-malware-hash.yaml} (82%) rename file/malware/hash/{backwash-malware.yaml => backwash-malware-hash.yaml} (88%) create mode 100644 file/malware/hash/blackenergy-driver-amdide-hash.yaml create mode 100644 file/malware/hash/blackenergy-driver-malware-hash.yaml create mode 100644 file/malware/hash/blackenergy-killdisk-malware-hash.yaml create mode 100644 file/malware/hash/blackenergy-ssh-malware-hash.yaml create mode 100644 file/malware/hash/blackenergy-vbs-malware-hash.yaml rename file/malware/hash/{bluelight-malware.yaml => bluelight-malware-hash.yaml} (88%) create mode 100644 file/malware/hash/bluetermite-emdivi-malware-hash.yaml create mode 100644 file/malware/hash/bluetermite-emdivi-sfx-hash.yaml rename file/malware/hash/{charmingcypress-malware.yaml => charmingcypress-malware-hash.yaml} (69%) create mode 100644 file/malware/hash/cheshirecat-malware-hash.yaml create mode 100644 file/malware/hash/cloudduke-malware-hash.yaml create mode 100644 file/malware/hash/codoso-gh0st-malware.yaml create mode 100644 file/malware/hash/codoso-malware-hash.yaml create mode 100644 file/malware/hash/codoso-pgv-malware-hash.yaml create mode 100644 file/malware/hash/codoso-plugx-malware-hash.yaml rename file/malware/hash/{disgomoji-malware.yaml => disgomoji-malware-hash.yaml} (75%) create mode 100644 file/malware/hash/dubnium-malware-hash.yaml create mode 100644 file/malware/hash/dubnium-sshopenssl-malware-hash.yaml create mode 100644 file/malware/hash/emissary-malware-hash.yaml rename file/malware/hash/{evilbamboo-malware.yaml => evilbamboo-malware-hash.yaml} (96%) create mode 100644 file/malware/hash/fakem-malware-hash.yaml rename file/malware/hash/{flipflop-malware.yaml => flipflop-malware-hash.yaml} (90%) create mode 100644 file/malware/hash/furtim-malware-hash.yaml rename file/malware/hash/{gimmick-malware.yaml => gimmick-malware-hash.yaml} (80%) rename file/malware/hash/{godzilla-webshell.yaml => godzilla-webshell-hash.yaml} (84%) create mode 100644 file/malware/hash/greenbug-malware-hash.yaml rename file/malware/hash/{ico-malware.yaml => ico-malware-hash.yaml} (92%) create mode 100644 file/malware/hash/industroyer-malware-hash.yaml create mode 100644 file/malware/hash/ironPanda-htran-malware-hash.yaml create mode 100644 file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml create mode 100644 file/malware/hash/ironpanda-malware-hash.yaml create mode 100644 file/malware/hash/locky-ransomware-hash.yaml create mode 100644 file/malware/hash/minidionis-readerview-malware-hash.yaml create mode 100644 file/malware/hash/minidionis-vbs-malware-hash.yaml create mode 100644 file/malware/hash/naikon-apt-malware-hash.yaml create mode 100644 file/malware/hash/neuron2-malware-hash.yaml create mode 100644 file/malware/hash/oilrig-malware-hash.yaml create mode 100644 file/malware/hash/passcv-ntscan-malware-hash.yaml create mode 100644 file/malware/hash/passcv-sabre-malware-hash.yaml create mode 100644 file/malware/hash/passcv-signingcert-malware-hash.yaml create mode 100644 file/malware/hash/petya-ransomware-hash.yaml create mode 100644 file/malware/hash/poseidongroup-maldoc-malware-hash.yaml create mode 100644 file/malware/hash/poseidongroup-malware-hash.yaml rename file/malware/hash/{powerstar-malware.yaml => powerstar-malware-hash.yaml} (89%) create mode 100644 file/malware/hash/purplewave-malware-hash.yaml create mode 100644 file/malware/hash/red-leaves-malware-hash.yaml rename file/malware/hash/{regeorg-webshell.yaml => regeorg-webshell-hash.yaml} (89%) create mode 100644 file/malware/hash/revil-ransomware-hash.yaml create mode 100644 file/malware/hash/rokrat-malware-hash.yaml delete mode 100644 file/malware/hash/rokrat-malware.yaml create mode 100644 file/malware/hash/sauron-malware-hash.yaml create mode 100644 file/malware/hash/seaduke-malware-hash.yaml create mode 100644 file/malware/hash/sfx1-malware-hash.yaml create mode 100644 file/malware/hash/sfxrar-acrotray-malware-hash.yaml rename file/malware/hash/{sharpext-malware.yaml => sharpext-malware-hash.yaml} (89%) create mode 100644 file/malware/hash/sofacy-Winexe-malware-hash.yaml create mode 100644 file/malware/hash/sofacy-bundestag-malware-hash.yaml create mode 100644 file/malware/hash/sofacy-fybis-malware-hash.yaml create mode 100644 file/malware/hash/tidepool-malware-hash.yaml create mode 100644 file/malware/hash/turla-malware-hash.yaml create mode 100644 file/malware/hash/unit78020-malware-hash.yaml create mode 100644 file/malware/hash/wildneutron-malware-hash.yaml diff --git a/file/malware/hash/anthem-deeppanda-malware-hash.yaml b/file/malware/hash/anthem-deeppanda-malware-hash.yaml new file mode 100644 index 0000000000..bda4cb8072 --- /dev/null +++ b/file/malware/hash/anthem-deeppanda-malware-hash.yaml @@ -0,0 +1,21 @@ +id: anthem-deeppanda-malware-hash +info: + name: Anthem DeepPanda Trojan Kakfum Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_DeepPanda_Anthem.yar + tags: malware,deeppanda + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'" + - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'" + condition: or diff --git a/file/malware/hash/applejeus-malware.yaml b/file/malware/hash/applejeus-malware-hash.yaml similarity index 90% rename from file/malware/hash/applejeus-malware.yaml rename to file/malware/hash/applejeus-malware-hash.yaml index 28ea397f81..264e79f7ca 100644 --- a/file/malware/hash/applejeus-malware.yaml +++ b/file/malware/hash/applejeus-malware-hash.yaml @@ -1,6 +1,6 @@ -id: applejeus-malware +id: applejeus-malware-hash info: - name: AppleJeus Malware - Detect + name: AppleJeus Malware Hash - Detect author: pussycat0x severity: info description: Detects AppleJeus DLL samples diff --git a/file/malware/hash/avburner-malware.yaml b/file/malware/hash/avburner-malware-hash.yaml similarity index 82% rename from file/malware/hash/avburner-malware.yaml rename to file/malware/hash/avburner-malware-hash.yaml index 6940444fbb..eb752d4cc3 100644 --- a/file/malware/hash/avburner-malware.yaml +++ b/file/malware/hash/avburner-malware-hash.yaml @@ -1,6 +1,6 @@ -id: avburner-malware +id: avburner-malware-hash info: - name: AVBurner Malware - Detect + name: AVBurner Malware Hash - Detect author: pussycat0x severity: info description: Detects AVBurner based on a combination of API calls used, hard-coded strings, and bytecode patterns diff --git a/file/malware/hash/backwash-malware.yaml b/file/malware/hash/backwash-malware-hash.yaml similarity index 88% rename from file/malware/hash/backwash-malware.yaml rename to file/malware/hash/backwash-malware-hash.yaml index 2ab1e9ef56..9e998264cf 100644 --- a/file/malware/hash/backwash-malware.yaml +++ b/file/malware/hash/backwash-malware-hash.yaml @@ -1,9 +1,10 @@ -id: backwash-malware +id: backwash-malware-hash info: - name: Backwash Malware - Detect + name: Backwash Malware Hash - Detect author: pussycat0x severity: info - description: CPP loader for the Backwash malware. + description: | + CPP loader for the Backwash malware. reference: - https://github.com/volexity/threat-intel/blob/main/2021/2021-12-06%20-%20XEGroup/indicators/yara.yar - https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/ diff --git a/file/malware/hash/blackenergy-driver-amdide-hash.yaml b/file/malware/hash/blackenergy-driver-amdide-hash.yaml new file mode 100644 index 0000000000..80eea4d57a --- /dev/null +++ b/file/malware/hash/blackenergy-driver-amdide-hash.yaml @@ -0,0 +1,24 @@ +id: blackenergy-driver-amdide-hash +info: + name: Blackenergy-Driver Amdide Hash - Detect + description: | + Detects the AMDIDE driver from BlackEnergy malware + reference: + - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ + tag: malware,blackenergy + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" + - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" + - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" + - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" + - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" + - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" + - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" + condition: or diff --git a/file/malware/hash/blackenergy-driver-malware-hash.yaml b/file/malware/hash/blackenergy-driver-malware-hash.yaml new file mode 100644 index 0000000000..7f3f98507e --- /dev/null +++ b/file/malware/hash/blackenergy-driver-malware-hash.yaml @@ -0,0 +1,26 @@ +id: blackenergy-driver-malware-hash +info: + name: BlackEnergy Driver USBMDM Malware Hash - Detect + author: pussycat0x + severity: info + description: Auto-generated rule - detects BlackEnergy Driver USBMDM malware + reference: + - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry + tags: malware,blackenergy + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'" + - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'" + - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'" + - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'" + - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'" + - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'" + - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'" + - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'" + condition: or diff --git a/file/malware/hash/blackenergy-killdisk-malware-hash.yaml b/file/malware/hash/blackenergy-killdisk-malware-hash.yaml new file mode 100644 index 0000000000..4896d043f0 --- /dev/null +++ b/file/malware/hash/blackenergy-killdisk-malware-hash.yaml @@ -0,0 +1,22 @@ +id: blackenergy-killdisk-malware-hash +info: + name: BlackEnergy KillDisk Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects KillDisk malware from BlackEnergy + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar + tags: malware,blackenergy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80'" + - "sha256(raw) == '5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6'" + - "sha256(raw) == 'c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d'" + - "sha256(raw) == 'f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/blackenergy-ssh-malware-hash.yaml b/file/malware/hash/blackenergy-ssh-malware-hash.yaml new file mode 100644 index 0000000000..3e0f76619f --- /dev/null +++ b/file/malware/hash/blackenergy-ssh-malware-hash.yaml @@ -0,0 +1,18 @@ +id: blackenergy-ssh-malware-hash +info: + name: BlackEnergy BackdoorPass DropBear SSH Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects the password of the backdoored DropBear SSH Server - BlackEnergy + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar + tags: malware,blackenergy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd'" \ No newline at end of file diff --git a/file/malware/hash/blackenergy-vbs-malware-hash.yaml b/file/malware/hash/blackenergy-vbs-malware-hash.yaml new file mode 100644 index 0000000000..56f011ddb6 --- /dev/null +++ b/file/malware/hash/blackenergy-vbs-malware-hash.yaml @@ -0,0 +1,20 @@ +id: blackenergy-vbs-malware-hash +info: + name: BlackEnergy VBS Agent Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar + tags: malware,blackenergy + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f'" + - "sha256(raw) == '0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd'" + condition: or diff --git a/file/malware/hash/bluelight-malware.yaml b/file/malware/hash/bluelight-malware-hash.yaml similarity index 88% rename from file/malware/hash/bluelight-malware.yaml rename to file/malware/hash/bluelight-malware-hash.yaml index 4f332d37ab..2dca1ca113 100644 --- a/file/malware/hash/bluelight-malware.yaml +++ b/file/malware/hash/bluelight-malware-hash.yaml @@ -1,6 +1,6 @@ -id: bluelight-malware +id: bluelight-malware-hash info: - name: bluelight Malware - Detect + name: bluelight Malware Hash - Detect author: pussycat0x severity: info description: North Korean origin malware which uses a custom Google App for C2 communications. diff --git a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml new file mode 100644 index 0000000000..040782d212 --- /dev/null +++ b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml @@ -0,0 +1,33 @@ +id: bluetermite-emdivi-malware-hash +info: + name: Bluetermite Emdivi Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Bluetermite_Emdivi.yar + - https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ + tags: malware,bluetermite + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'" + - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'" + - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml new file mode 100644 index 0000000000..05e5bb88e2 --- /dev/null +++ b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml @@ -0,0 +1,20 @@ +id: bluetermite-emdivi-sfx-hash +info: + name: Bluetermite Emdivi SFX Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Bluetermite_Emdivi.yar + tags: malware,bluetermite + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'" + - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'" + condition: or diff --git a/file/malware/hash/charmingcypress-malware.yaml b/file/malware/hash/charmingcypress-malware-hash.yaml similarity index 69% rename from file/malware/hash/charmingcypress-malware.yaml rename to file/malware/hash/charmingcypress-malware-hash.yaml index 8bf7abed98..954f146f87 100644 --- a/file/malware/hash/charmingcypress-malware.yaml +++ b/file/malware/hash/charmingcypress-malware-hash.yaml @@ -1,11 +1,11 @@ -id: charmingcypress-malware +id: charmingcypress-malware-hash info: - name: CharmingCypress Malware - Detect + name: CharmingCypress Malware Hash - Detect author: pussycat0x severity: info reference: - https://github.com/volexity/threat-intel/blob/main/2024/2024-02-13%20CharmingCypress/rules.yar - tags: malware + tags: malware,cypress file: - extensions: diff --git a/file/malware/hash/cheshirecat-malware-hash.yaml b/file/malware/hash/cheshirecat-malware-hash.yaml new file mode 100644 index 0000000000..351a05e2fb --- /dev/null +++ b/file/malware/hash/cheshirecat-malware-hash.yaml @@ -0,0 +1,22 @@ +id: cheshirecat-malware-hash +info: + name: CheshireCat Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar + tags: malware,apt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'" + - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'" + - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'" + - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'" + condition: or diff --git a/file/malware/hash/cloudduke-malware-hash.yaml b/file/malware/hash/cloudduke-malware-hash.yaml new file mode 100644 index 0000000000..5d753b6036 --- /dev/null +++ b/file/malware/hash/cloudduke-malware-hash.yaml @@ -0,0 +1,33 @@ +id: cloudduke-malware-hash +info: + name: CloudDuke Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://www.f-secure.com/weblog/archives/00002822.html + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar + tags: malware,apt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-gh0st-malware.yaml b/file/malware/hash/codoso-gh0st-malware.yaml new file mode 100644 index 0000000000..976e2255a8 --- /dev/null +++ b/file/malware/hash/codoso-gh0st-malware.yaml @@ -0,0 +1,22 @@ +id: codoso-gh0st-malware +info: + name: Codoso APT Gh0st Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar + tags: malware,apt,codoso + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'" + - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'" + - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'" + - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'" + condition: or diff --git a/file/malware/hash/codoso-malware-hash.yaml b/file/malware/hash/codoso-malware-hash.yaml new file mode 100644 index 0000000000..4486e11cce --- /dev/null +++ b/file/malware/hash/codoso-malware-hash.yaml @@ -0,0 +1,26 @@ +id: codoso-malware-hash +info: + name: Codoso APT Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Codoso APT Malware. + reference: + - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar + tags: malware,apt,codoso + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" + - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" + - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" + - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" + - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" + - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" + condition: or diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml new file mode 100644 index 0000000000..4927e17366 --- /dev/null +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -0,0 +1,23 @@ +id: codoso-pgv-malware-hash +info: + name: Codoso APT PGV_PVID Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Codoso APT PGV_PVID Malware + reference: + - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar + tags: malware,apt,codoso + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" + - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" \ No newline at end of file diff --git a/file/malware/hash/codoso-plugx-malware-hash.yaml b/file/malware/hash/codoso-plugx-malware-hash.yaml new file mode 100644 index 0000000000..6f28c6c836 --- /dev/null +++ b/file/malware/hash/codoso-plugx-malware-hash.yaml @@ -0,0 +1,24 @@ +id: codoso-plugx-malware-hash +info: + name: Codoso APT PlugX Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Codoso APT PlugX Malware. + reference: + - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar + tags: malware,apt,codoso + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + condition: or diff --git a/file/malware/hash/disgomoji-malware.yaml b/file/malware/hash/disgomoji-malware-hash.yaml similarity index 75% rename from file/malware/hash/disgomoji-malware.yaml rename to file/malware/hash/disgomoji-malware-hash.yaml index 422d33e3e0..13236031c7 100644 --- a/file/malware/hash/disgomoji-malware.yaml +++ b/file/malware/hash/disgomoji-malware-hash.yaml @@ -1,12 +1,12 @@ -id: disgomoji-malware +id: disgomoji-malware-hash info: - name: DISGOMOJI Malware - Detect + name: DISGOMOJI Malware Hash - Detect author: pussycat0x severity: info description: Detects DISGOMOJI modules based on strings in the ELF. reference: - https://github.com/volexity/threat-intel/blob/main/2024/2024-06-13%20DISGOMOJI/indicators/rules.yar - tags: malware + tags: malware,disgomoji file: - extensions: diff --git a/file/malware/hash/dubnium-malware-hash.yaml b/file/malware/hash/dubnium-malware-hash.yaml new file mode 100644 index 0000000000..fdfa9dcd68 --- /dev/null +++ b/file/malware/hash/dubnium-malware-hash.yaml @@ -0,0 +1,43 @@ +id: dubnium-malware-hash +info: + name: Dubnium Malware Hash - Detect + author: pussycat0x + description: | + Detects sample mentioned in the Dubnium Report + reference: + - https://goo.gl/AW9Cuu + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Dubnium.yar + tags: malware,dubnium + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'" + - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'" + - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml new file mode 100644 index 0000000000..05606c7e0f --- /dev/null +++ b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml @@ -0,0 +1,25 @@ +id: dubnium-sshopenssl-malware-hash +info: + name: Dubnium Sample SSHOpenSSL Hash - Detect + author: pussycat0x + description: | + Detects sample mentioned in the Dubnium Report + reference: + - https://goo.gl/AW9Cuu + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Dubnium.yar + tags: malware,Dubnium,apt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/emissary-malware-hash.yaml b/file/malware/hash/emissary-malware-hash.yaml new file mode 100644 index 0000000000..dd2cdda30a --- /dev/null +++ b/file/malware/hash/emissary-malware-hash.yaml @@ -0,0 +1,32 @@ +id: emissary-malware-hash +info: + name: Emissary APT Malware Hash - Detect + author: pussycat0x + description: | + Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll + reference: + - http://goo.gl/V0epcf + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Emissary.yar + tags: malware,emissary,apt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'" + - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'" + - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'" + - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'" + - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'" + - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'" + - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'" + - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'" + - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'" + - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'" + - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'" + - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'" + - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'" + condition: or diff --git a/file/malware/hash/evilbamboo-malware.yaml b/file/malware/hash/evilbamboo-malware-hash.yaml similarity index 96% rename from file/malware/hash/evilbamboo-malware.yaml rename to file/malware/hash/evilbamboo-malware-hash.yaml index 8d833598eb..705f65971c 100644 --- a/file/malware/hash/evilbamboo-malware.yaml +++ b/file/malware/hash/evilbamboo-malware-hash.yaml @@ -1,6 +1,6 @@ -id: evilbamboo-malware +id: evilbamboo-malware-hash info: - name: EvilBamboo Malware - Detect + name: EvilBamboo Malware Hash - Detect author: pussycat0x severity: info description: | diff --git a/file/malware/hash/fakem-malware-hash.yaml b/file/malware/hash/fakem-malware-hash.yaml new file mode 100644 index 0000000000..7c544868af --- /dev/null +++ b/file/malware/hash/fakem-malware-hash.yaml @@ -0,0 +1,30 @@ +id: fakem-malware-hash +info: + name: FakeM_Generic Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects FakeM malware samples + reference: + - http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FakeM.yar + tags: malware,apt,fakem + +file: + extensions: + - all + matchers: + type: dsl + dsl: + - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'" + - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'" + - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'" + - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'" + - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'" + - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'" + - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'" + - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'" + - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'" + - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'" + - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'" + condition: or diff --git a/file/malware/hash/flipflop-malware.yaml b/file/malware/hash/flipflop-malware-hash.yaml similarity index 90% rename from file/malware/hash/flipflop-malware.yaml rename to file/malware/hash/flipflop-malware-hash.yaml index a59d2b88a0..b466390428 100644 --- a/file/malware/hash/flipflop-malware.yaml +++ b/file/malware/hash/flipflop-malware-hash.yaml @@ -1,6 +1,6 @@ -id: flipflop-ldr-malware +id: flipflop-ldr-malware-hash info: - name: Flipflop Loader - Detect + name: Flipflop Loader Hash - Detect author: pussycat0x severity: info description: A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload. diff --git a/file/malware/hash/furtim-malware-hash.yaml b/file/malware/hash/furtim-malware-hash.yaml new file mode 100644 index 0000000000..0b4455f568 --- /dev/null +++ b/file/malware/hash/furtim-malware-hash.yaml @@ -0,0 +1,22 @@ +id: furtim-malware-hash +info: + name: Furtim Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Furtim Parent Malware. + reference: + - https://sentinelone.com/blogs/sfg-furtims-parent/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_furtim.yar + tags: malware,apt,furtim + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'" + - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'" + condition: or diff --git a/file/malware/hash/gimmick-malware.yaml b/file/malware/hash/gimmick-malware-hash.yaml similarity index 80% rename from file/malware/hash/gimmick-malware.yaml rename to file/malware/hash/gimmick-malware-hash.yaml index 2a4065fec8..950936cdfe 100644 --- a/file/malware/hash/gimmick-malware.yaml +++ b/file/malware/hash/gimmick-malware-hash.yaml @@ -1,6 +1,6 @@ -id: gimmick-malware +id: gimmick-malware-hash info: - name: GIMMICK Malware - Detect + name: GIMMICK Malware Hash - Detect author: pussycat0x severity: info description: Detects the macOS port of the GIMMICK malware. diff --git a/file/malware/hash/godzilla-webshell.yaml b/file/malware/hash/godzilla-webshell-hash.yaml similarity index 84% rename from file/malware/hash/godzilla-webshell.yaml rename to file/malware/hash/godzilla-webshell-hash.yaml index 3866d10a8c..a37489fa00 100644 --- a/file/malware/hash/godzilla-webshell.yaml +++ b/file/malware/hash/godzilla-webshell-hash.yaml @@ -1,6 +1,6 @@ -id: godzilla-webshell +id: godzilla-webshell-hash info: - name: Godzilla Webshell - Detect + name: Godzilla Webshell Hash - Detect author: pussycat0x severity: info description: Detects the JSP implementation of the Godzilla Webshell. diff --git a/file/malware/hash/greenbug-malware-hash.yaml b/file/malware/hash/greenbug-malware-hash.yaml new file mode 100644 index 0000000000..10ba934f94 --- /dev/null +++ b/file/malware/hash/greenbug-malware-hash.yaml @@ -0,0 +1,32 @@ +id: greenbug-malware-hash +info: + name: Greenbug Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Malware from Greenbug Incident + reference: + - https://goo.gl/urp4CD + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Greenbug.yar + tags: malware,Greenbug + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'" + - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'" + - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'" + - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/ico-malware.yaml b/file/malware/hash/ico-malware-hash.yaml similarity index 92% rename from file/malware/hash/ico-malware.yaml rename to file/malware/hash/ico-malware-hash.yaml index 0e9dfa61f4..20282972b6 100644 --- a/file/malware/hash/ico-malware.yaml +++ b/file/malware/hash/ico-malware-hash.yaml @@ -1,12 +1,12 @@ -id: ico-malware +id: ico-malware-hash info: - name: ICO Malware - Detect + name: ICO Malware Hash - Detect author: pussycat0x severity: info description: Detection of malicious ICO files used in 3CX compromise reference: - https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/indicators/rules.yar - tags: malware,UTA0040 + tags: malware,uta0040 file: - extensions: diff --git a/file/malware/hash/industroyer-malware-hash.yaml b/file/malware/hash/industroyer-malware-hash.yaml new file mode 100644 index 0000000000..9a4ccf54db --- /dev/null +++ b/file/malware/hash/industroyer-malware-hash.yaml @@ -0,0 +1,28 @@ +id: industroyer-malware-hash +info: + name: Industroyer Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects Industroyer related malware + reference: + - https://goo.gl/x81cSy + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Industroyer.yar + tags: malware,industroyer,apt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'" + - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'" + - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'" + - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'" + - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'" + - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'" + - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'" + - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'" + - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'" + condition: or diff --git a/file/malware/hash/ironPanda-htran-malware-hash.yaml b/file/malware/hash/ironPanda-htran-malware-hash.yaml new file mode 100644 index 0000000000..9044c3a27e --- /dev/null +++ b/file/malware/hash/ironPanda-htran-malware-hash.yaml @@ -0,0 +1,21 @@ +id: ironPanda-htran-malware-hash +info: + name: Iron Panda Malware Htran Hash - Detect + author: pussycat0x + severity: info + description: | + Iron Panda Malware Htran + reference: + - https://goo.gl/E4qia9 + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Irontiger.yar + tags: malware,ironpanda + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" + diff --git a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml new file mode 100644 index 0000000000..78ce70e8ad --- /dev/null +++ b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml @@ -0,0 +1,21 @@ +id: ironpanda-dnstunclient-malware-hash +info: + name: Iron Panda malware DnsTunClient Hash - Detect + author: pussycat0x + severity: info + description: | + Iron Panda malware DnsTunClient - file named.exe + reference: + - https://goo.gl/E4qia9 + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Irontiger.yar + tags: malware,ironpanda + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" + diff --git a/file/malware/hash/ironpanda-malware-hash.yaml b/file/malware/hash/ironpanda-malware-hash.yaml new file mode 100644 index 0000000000..241e17b3cd --- /dev/null +++ b/file/malware/hash/ironpanda-malware-hash.yaml @@ -0,0 +1,22 @@ +id: ironpanda-malware-hash +info: + name: Iron Panda Malware Hash - Detect + author: pussycat0x + severity: info + description: Iron Panda Malware + reference: + - https://goo.gl/E4qia9 + tags: malware,IronPanda + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'" + - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'" + - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'" + - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'" + condition: or diff --git a/file/malware/hash/locky-ransomware-hash.yaml b/file/malware/hash/locky-ransomware-hash.yaml new file mode 100644 index 0000000000..05dca81de7 --- /dev/null +++ b/file/malware/hash/locky-ransomware-hash.yaml @@ -0,0 +1,21 @@ +id: locky-ransomware-hash +info: + name: Locky Ransomware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Locky Ransomware (matches also on Win32/Kuluoz) + reference: + - https://goo.gl/qScSrE + - https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar + tags: ransomware,malware + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" + diff --git a/file/malware/hash/minidionis-readerview-malware-hash.yaml b/file/malware/hash/minidionis-readerview-malware-hash.yaml new file mode 100644 index 0000000000..1a03e309bc --- /dev/null +++ b/file/malware/hash/minidionis-readerview-malware-hash.yaml @@ -0,0 +1,26 @@ +id: minidionis-readerview-malware-hash +info: + name: MiniDionis Malware Hash - Detect + author: pussycat0x + severity: info + description: | + MiniDionis Malware - file readerView.exe / adobe.exe + reference: + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950 + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar + tags: malware,minidionis + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or diff --git a/file/malware/hash/minidionis-vbs-malware-hash.yaml b/file/malware/hash/minidionis-vbs-malware-hash.yaml new file mode 100644 index 0000000000..833c4a0c82 --- /dev/null +++ b/file/malware/hash/minidionis-vbs-malware-hash.yaml @@ -0,0 +1,19 @@ +id: minidionis-vbs-malware-hash +info: + name: MiniDionis VBS Dropped File Hash - Detect + author: pussycat0x + severity: info + description: Detect Dropped File - 1.vbs + reference: + - https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar + tags: malware,minidionis + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'" diff --git a/file/malware/hash/naikon-apt-malware-hash.yaml b/file/malware/hash/naikon-apt-malware-hash.yaml new file mode 100644 index 0000000000..7e7011d5b1 --- /dev/null +++ b/file/malware/hash/naikon-apt-malware-hash.yaml @@ -0,0 +1,19 @@ +id: naikon-apt-malware-hash +info: + name: Backdoor Naikon APT Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://goo.gl/7vHyvh +tags: malware,naikon + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'" + - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'" + condition: or diff --git a/file/malware/hash/neuron2-malware-hash.yaml b/file/malware/hash/neuron2-malware-hash.yaml new file mode 100644 index 0000000000..d90848501f --- /dev/null +++ b/file/malware/hash/neuron2-malware-hash.yaml @@ -0,0 +1,20 @@ +id: neuron2-malware-hash +info: + name: Neuron2 Loader Strings Turla APT loader Hash - Detect + author: pussycat0x + severity: info + reference: | + - https://www.ncsc.gov.uk/alerts/turla-group-malware + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_Neuron.yar + tags: malware,turla,neuron2,apt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'" + - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'" + condition: or diff --git a/file/malware/hash/oilrig-malware-hash.yaml b/file/malware/hash/oilrig-malware-hash.yaml new file mode 100644 index 0000000000..62bf87eb9c --- /dev/null +++ b/file/malware/hash/oilrig-malware-hash.yaml @@ -0,0 +1,45 @@ +id: oilrig-malware-hash +info: + name: OilRig Malware Campaign Gen1 Hash - Detect + author: pussycat0x + severity: info + description: | + Detects malware from OilRig Campaign + reference: + - https://goo.gl/QMRZ8K + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Oilrig.yar + tags: malware,oilrig,apt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'" + - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'" + - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'" + - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'" + - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'" + - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'" + - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'" + - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'" + - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'" + - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'" + - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'" + - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'" + - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'" + - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'" + - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'" + - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'" + - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'" + - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'" + - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'" + - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'" + - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'" + - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'" + - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'" + - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'" + - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'" + condition: or diff --git a/file/malware/hash/passcv-ntscan-malware-hash.yaml b/file/malware/hash/passcv-ntscan-malware-hash.yaml new file mode 100644 index 0000000000..3a03868558 --- /dev/null +++ b/file/malware/hash/passcv-ntscan-malware-hash.yaml @@ -0,0 +1,19 @@ +id: passcv-ntscan-malware-hash +info: + name: PassCV Sabre Tool NTScan Malware Hash - Detect + author: pussycat0x + severity: info + description: PassCV Malware mentioned in Cylance Report + reference: + - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar + tags: malware,passcv + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'" diff --git a/file/malware/hash/passcv-sabre-malware-hash.yaml b/file/malware/hash/passcv-sabre-malware-hash.yaml new file mode 100644 index 0000000000..f3baf97e41 --- /dev/null +++ b/file/malware/hash/passcv-sabre-malware-hash.yaml @@ -0,0 +1,29 @@ +id: passcv-sabre-malware-hash +info: + name: PassCV Sabre Malware Hash - Detect + author: pussycat0x + severity: info + description: | + PassCV Malware mentioned in Cylance Report + reference: + - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar + tags: malware,passcv + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'" + - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'" + - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'" + - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'" + - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'" + - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'" + - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'" + - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'" + - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'" + condition: or diff --git a/file/malware/hash/passcv-signingcert-malware-hash.yaml b/file/malware/hash/passcv-signingcert-malware-hash.yaml new file mode 100644 index 0000000000..665d68140e --- /dev/null +++ b/file/malware/hash/passcv-signingcert-malware-hash.yaml @@ -0,0 +1,21 @@ +id: passcv-signingcert-malware-hash +info: + name: PassCV Sabre Malware Signing Cert Hash - Detect + author: pussycat0x + severity: info + description: | + PassCV Malware mentioned in Cylance Report + reference: + - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar + tags: malware,passcv + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" + diff --git a/file/malware/hash/petya-ransomware-hash.yaml b/file/malware/hash/petya-ransomware-hash.yaml new file mode 100644 index 0000000000..a4ced71871 --- /dev/null +++ b/file/malware/hash/petya-ransomware-hash.yaml @@ -0,0 +1,19 @@ +id: petya-ransomware-hash +info: + name: Petya Ransomware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects Petya Ransomware. + reference: + - http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html +tags: ransomware,malware + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'" diff --git a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml new file mode 100644 index 0000000000..8f0f4d8467 --- /dev/null +++ b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml @@ -0,0 +1,27 @@ +id: poseidongroup-maldoc-malware-hash +info: + name: Poseidon Group Malicious Word Document Hash - Detect + author: pussycat0x + severity: info + description: Detects Poseidon Group - Malicious Word Document + reference: + - https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Poseidon_Group.yar + tags: malware,poseidon + +file: + extensions: + - doc + - docx + + matchers: + type: dsl + dsl: + - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'" + - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'" + - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'" + - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'" + - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'" + - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'" + - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'" + condition: or diff --git a/file/malware/hash/poseidongroup-malware-hash.yaml b/file/malware/hash/poseidongroup-malware-hash.yaml new file mode 100644 index 0000000000..8a13db558d --- /dev/null +++ b/file/malware/hash/poseidongroup-malware-hash.yaml @@ -0,0 +1,26 @@ +id: poseidongroup-malware-hash +info: + name: Poseidon Group Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects Poseidon Group Malware + reference: + - https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Poseidon_Group.yar + tags: malware + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'" + - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'" + - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'" + - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'" + - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'" + - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'" + - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'" + condition: or diff --git a/file/malware/hash/powerstar-malware.yaml b/file/malware/hash/powerstar-malware-hash.yaml similarity index 89% rename from file/malware/hash/powerstar-malware.yaml rename to file/malware/hash/powerstar-malware-hash.yaml index 8efae04aec..9a09056a27 100644 --- a/file/malware/hash/powerstar-malware.yaml +++ b/file/malware/hash/powerstar-malware-hash.yaml @@ -1,6 +1,6 @@ -id: powerstar-malware +id: powerstar-malware-hash info: - name: PowerStar Malware - Detect + name: PowerStar Malware Hash - Detect author: pussycat0x severity: info description: Detects the batch script used to persist PowerStar via Startup. diff --git a/file/malware/hash/purplewave-malware-hash.yaml b/file/malware/hash/purplewave-malware-hash.yaml new file mode 100644 index 0000000000..8492e1a9c7 --- /dev/null +++ b/file/malware/hash/purplewave-malware-hash.yaml @@ -0,0 +1,27 @@ +id: purplewave-malware-hash +info: + name: PurpleWave v1.0 Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://twitter.com/3xp0rtblog/status/1289125217751781376 + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PurpleWave.yar +tags: malware,apt,purplewave + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" + - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" + - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" + - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" + - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" + - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" + - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" + - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" + - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" + condition: or diff --git a/file/malware/hash/red-leaves-malware-hash.yaml b/file/malware/hash/red-leaves-malware-hash.yaml new file mode 100644 index 0000000000..b131749599 --- /dev/null +++ b/file/malware/hash/red-leaves-malware-hash.yaml @@ -0,0 +1,21 @@ +id: red-leaves-malware-hash +info: + name: Red Leaves Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Red Leaves malware, related to APT10 + reference: + - https://www.virustotal.com/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_RedLeaves.yar + tags: malware,apt,red-leaves + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" + diff --git a/file/malware/hash/regeorg-webshell.yaml b/file/malware/hash/regeorg-webshell-hash.yaml similarity index 89% rename from file/malware/hash/regeorg-webshell.yaml rename to file/malware/hash/regeorg-webshell-hash.yaml index f4520f0c64..a3abb6c429 100644 --- a/file/malware/hash/regeorg-webshell.yaml +++ b/file/malware/hash/regeorg-webshell-hash.yaml @@ -1,6 +1,6 @@ -id: regeorg-webshel +id: regeorg-webshell-hash info: - name: ReGeorg Webshell - Detect + name: ReGeorg Webshell Hash - Detect author: pussycat0x severity: info description: Detects the reGeorg webshells' JSP version. diff --git a/file/malware/hash/revil-ransomware-hash.yaml b/file/malware/hash/revil-ransomware-hash.yaml new file mode 100644 index 0000000000..9d6c61a8fa --- /dev/null +++ b/file/malware/hash/revil-ransomware-hash.yaml @@ -0,0 +1,22 @@ +id: revil-ransomware-hash +info: + name: Revil Ransomware Hash - Detect + author: pussycat0x + severity: info + description: + Detect Revil Ransomware. + reference: + - https://angle.ankura.com/post/102hcny/revix-linux-ransomware + - https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Revix.yar +tags: ransomware,malware + +file: + extensions: + - all + matchers: + type: dsl + dsl: + - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'" + - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'" + - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'" + condition: or diff --git a/file/malware/hash/rokrat-malware-hash.yaml b/file/malware/hash/rokrat-malware-hash.yaml new file mode 100644 index 0000000000..a531c05afa --- /dev/null +++ b/file/malware/hash/rokrat-malware-hash.yaml @@ -0,0 +1,20 @@ +id: rokrat-malware-hash +info: + name: ROKRAT Loader Malware Hash- Detect + author: pussycat0x + severity: info + description: | + Designed to catch loader observed used with ROKRAT malware + reference: + - https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_DPRK_ROKRAT.yar + tags: malware,taudprkapt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'" \ No newline at end of file diff --git a/file/malware/hash/rokrat-malware.yaml b/file/malware/hash/rokrat-malware.yaml deleted file mode 100644 index 0f5cd8f94e..0000000000 --- a/file/malware/hash/rokrat-malware.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: rokrat-malware -info: - name: Rokrat Malware - Detect - author: pussycat0x - severity: info - description: Ruby loader seen loading the ROKRAT malware family. - reference: - - https://github.com/volexity/threat-intel/blob/main/2021/2021-08-24%20-%20InkySquid%20Part%202/indicators/yara.yar - tags: malware,inkysquid - -file: - - extensions: - - all - - matchers: - - type: dsl - dsl: - - "sha256(raw) == '5bc52f6c1c0d0131cee30b4f192ce738ad70bcb56e84180f464a5125d1a784b2'" - - "sha256(raw) == '80269413be6ad51b8b19631b2f5559c9572842e789bbce031babe6e879d2e120'" - - "sha256(raw) == '6a452d088d60113f623b852f33f8f9acf0d4197af29781f889613fed38f57855'" - - "sha256(raw) == '85cd5c3bb028fe6931130ccd5d0b0c535c01ce2bcda660a3b72581a1a5382904'" - condition: or \ No newline at end of file diff --git a/file/malware/hash/sauron-malware-hash.yaml b/file/malware/hash/sauron-malware-hash.yaml new file mode 100644 index 0000000000..971ab64786 --- /dev/null +++ b/file/malware/hash/sauron-malware-hash.yaml @@ -0,0 +1,26 @@ +id: sauron-malware-hash +info: + name: Sauron Malware Hash - Detect + author: pussycat0x + severity: info + description: Detects malware from Project Sauron APT + reference: + - https://goo.gl/eFoP4A + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sauron_extras.yar + tags: malware,apt,sauron + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'" + - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'" + - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'" + - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'" + - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'" + - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'" + - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'" + condition: or diff --git a/file/malware/hash/seaduke-malware-hash.yaml b/file/malware/hash/seaduke-malware-hash.yaml new file mode 100644 index 0000000000..183975b755 --- /dev/null +++ b/file/malware/hash/seaduke-malware-hash.yaml @@ -0,0 +1,19 @@ +id: seaduke-malware-hash +info: + name: SeaDuke Malware Hash - Detect + author: pussycat0x + severity: info + reference: | + http://goo.gl/MJ0c2M + https://github.com/Yara-Rules/rules/blob/master/malware/APT_Seaduke.yar + tags: malware,seaduke + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" + diff --git a/file/malware/hash/sfx1-malware-hash.yaml b/file/malware/hash/sfx1-malware-hash.yaml new file mode 100644 index 0000000000..7158918abc --- /dev/null +++ b/file/malware/hash/sfx1-malware-hash.yaml @@ -0,0 +1,21 @@ +id: sfx1-malware-hash +info: + name: Malicious SFX1 Hash - Detect + author: pussycat0x + severity: info + description: SFX with voicemail content + reference: + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950 + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar + tags: malware,sfx1 + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'" + - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'" + condition: or diff --git a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml new file mode 100644 index 0000000000..ea95e45d7a --- /dev/null +++ b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml @@ -0,0 +1,21 @@ +id: sfxrar-acrotray-malware-hash +info: + name: SFXRAR Acrotray Malware Hash - Detect + author: pussycat0x + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar + - https://www.f-secure.com/weblog/archives/00002822.html + tags: malware,apt,sfx + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'" + - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'" + - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/sharpext-malware.yaml b/file/malware/hash/sharpext-malware-hash.yaml similarity index 89% rename from file/malware/hash/sharpext-malware.yaml rename to file/malware/hash/sharpext-malware-hash.yaml index c87c46c689..858ece9035 100644 --- a/file/malware/hash/sharpext-malware.yaml +++ b/file/malware/hash/sharpext-malware-hash.yaml @@ -1,6 +1,6 @@ -id: sharpext-malware +id: sharpext-malware-hash info: - name: Sharpext Malware - Detect + name: Sharpext Malware Hash - Detect author: pussycat0x severity: info description: A malicious Chrome browser extension used by the SharpTongue threat actor to steal mail data from a victim. diff --git a/file/malware/hash/sofacy-Winexe-malware-hash.yaml b/file/malware/hash/sofacy-Winexe-malware-hash.yaml new file mode 100644 index 0000000000..d11191b9e4 --- /dev/null +++ b/file/malware/hash/sofacy-Winexe-malware-hash.yaml @@ -0,0 +1,20 @@ +id: sofacy-Winexe-malware-hash +info: + name: Sofacy Group Winexe Tool Hash - Detect + author: pussycat0x + severity: info + description: | + Winexe tool used by Sofacy group in Bundestag APT. + reference: | + - http://dokumente.linksfraktion.de/inhalt/report-orig.pdf + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Bundestag.yar + tags: malware,sofacy + +file: + extensions: + - exe + + matchers: + type: dsl + dsl: + - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'" diff --git a/file/malware/hash/sofacy-bundestag-malware-hash.yaml b/file/malware/hash/sofacy-bundestag-malware-hash.yaml new file mode 100644 index 0000000000..3b424a0a15 --- /dev/null +++ b/file/malware/hash/sofacy-bundestag-malware-hash.yaml @@ -0,0 +1,22 @@ +id: sofacy-bundestag-malware-hash +info: + name: Sofacy Group Malware - Detect + author: pussycat0x + severity: info + description: | + Sofacy Malware - German Bundestag + reference: | + - http://dokumente.linksfraktion.de/inhalt/report-orig.pdf + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Bundestag.yar + tags: malware,sofacy + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" + - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" + condition: or diff --git a/file/malware/hash/sofacy-fybis-malware-hash.yaml b/file/malware/hash/sofacy-fybis-malware-hash.yaml new file mode 100644 index 0000000000..a285d60b0c --- /dev/null +++ b/file/malware/hash/sofacy-fybis-malware-hash.yaml @@ -0,0 +1,21 @@ +id: sofacy-fybis-malware-hash +info: + name: Sofacy Fybis Linux Backdoor Hash - Detect + author: pussycat0x + severity: info + reference: | + - http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Fysbis.yar + tags: malware,sofacy + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'" + - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'" + - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'" + condition: or diff --git a/file/malware/hash/tidepool-malware-hash.yaml b/file/malware/hash/tidepool-malware-hash.yaml new file mode 100644 index 0000000000..7346f6a7a4 --- /dev/null +++ b/file/malware/hash/tidepool-malware-hash.yaml @@ -0,0 +1,24 @@ +id: tidepool-malware-hash +info: + name: TidePool Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks + reference: + - http://goo.gl/m2CXWR + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Ke3Chang_TidePool.yar + tags: malware,tidepool + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'" + - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'" + - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'" + - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'" + condition: or diff --git a/file/malware/hash/turla-malware-hash.yaml b/file/malware/hash/turla-malware-hash.yaml new file mode 100644 index 0000000000..29a0af280a --- /dev/null +++ b/file/malware/hash/turla-malware-hash.yaml @@ -0,0 +1,29 @@ +id: turla-malware-hash +info: + name: Turla APT Malware - Detect + author: pussycat0x + severity: info + description: Detects Turla malware based on sample used in the RUAG APT case + reference: | + https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case + https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar + tags: malware,turla,apt,ruag + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" + - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" + - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" + - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" + - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" + - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" + - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" + - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" + - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" + - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" + condition: or diff --git a/file/malware/hash/unit78020-malware-hash.yaml b/file/malware/hash/unit78020-malware-hash.yaml new file mode 100644 index 0000000000..3f1812b208 --- /dev/null +++ b/file/malware/hash/unit78020-malware-hash.yaml @@ -0,0 +1,26 @@ +id: unit78020-malware-hash +info: + name: Unit 78020 Malware Hash - Detect + author: pussycat0x + severity: info + description: | + Detects malware by Chinese APT PLA Unit 78020 - Generic Rule + reference: | + http://threatconnect.com/camerashy/?utm_campaign=CameraShy + https://github.com/Yara-Rules/rules/blob/master/malware/APT_Unit78020.yar + tags: malware,unit78020 + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'" + - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'" + - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'" + - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'" + - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'" + - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'" + condition: or diff --git a/file/malware/hash/wildneutron-malware-hash.yaml b/file/malware/hash/wildneutron-malware-hash.yaml new file mode 100644 index 0000000000..b3c9b242b0 --- /dev/null +++ b/file/malware/hash/wildneutron-malware-hash.yaml @@ -0,0 +1,31 @@ +id: wildneutron-malware-hash +info: + name: WildNeutron APT Sample Hash - Detect + author: pussycat0x + severity: info + description: | + Wild Neutron APT Sample Rule based on file hash + reference: | + - https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ + - https://github.com/Yara-Rules/rules/blob/master/malware/APT_WildNeutron.yar + tags: malware,wildneutron,apt + +file: + extensions: + - all + + matchers: + type: dsl + dsl: + - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" + - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" + - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" + - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" + - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" + - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" + - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" + condition: or \ No newline at end of file From 0c5631b963ca27b85943eab7a3b70bf040f743fa Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 20 Jun 2024 15:29:08 +0530 Subject: [PATCH 4/8] lint -fix --- file/malware/hash/blackenergy-driver-amdide-hash.yaml | 2 +- file/malware/hash/blackenergy-killdisk-malware-hash.yaml | 2 +- file/malware/hash/codoso-gh0st-malware.yaml | 2 +- file/malware/hash/codoso-pgv-malware-hash.yaml | 3 ++- file/malware/hash/codoso-plugx-malware-hash.yaml | 2 +- file/malware/hash/ironPanda-htran-malware-hash.yaml | 5 ++--- file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml | 3 +-- file/malware/hash/locky-ransomware-hash.yaml | 3 +-- file/malware/hash/passcv-signingcert-malware-hash.yaml | 3 +-- file/malware/hash/red-leaves-malware-hash.yaml | 3 +-- file/malware/hash/revil-ransomware-hash.yaml | 2 +- file/malware/hash/rokrat-malware-hash.yaml | 2 +- file/malware/hash/seaduke-malware-hash.yaml | 3 +-- file/malware/hash/sofacy-Winexe-malware-hash.yaml | 2 +- file/malware/hash/sofacy-bundestag-malware-hash.yaml | 2 +- file/malware/hash/turla-malware-hash.yaml | 4 ++-- file/malware/hash/wildneutron-malware-hash.yaml | 2 +- 17 files changed, 20 insertions(+), 25 deletions(-) diff --git a/file/malware/hash/blackenergy-driver-amdide-hash.yaml b/file/malware/hash/blackenergy-driver-amdide-hash.yaml index 80eea4d57a..1416dfb755 100644 --- a/file/malware/hash/blackenergy-driver-amdide-hash.yaml +++ b/file/malware/hash/blackenergy-driver-amdide-hash.yaml @@ -3,7 +3,7 @@ info: name: Blackenergy-Driver Amdide Hash - Detect description: | Detects the AMDIDE driver from BlackEnergy malware - reference: + reference: - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ tag: malware,blackenergy diff --git a/file/malware/hash/blackenergy-killdisk-malware-hash.yaml b/file/malware/hash/blackenergy-killdisk-malware-hash.yaml index 4896d043f0..65d90a1035 100644 --- a/file/malware/hash/blackenergy-killdisk-malware-hash.yaml +++ b/file/malware/hash/blackenergy-killdisk-malware-hash.yaml @@ -19,4 +19,4 @@ file: - "sha256(raw) == '5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6'" - "sha256(raw) == 'c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d'" - "sha256(raw) == 'f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95'" - condition: or \ No newline at end of file + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-gh0st-malware.yaml b/file/malware/hash/codoso-gh0st-malware.yaml index 976e2255a8..51dbbc7495 100644 --- a/file/malware/hash/codoso-gh0st-malware.yaml +++ b/file/malware/hash/codoso-gh0st-malware.yaml @@ -3,7 +3,7 @@ info: name: Codoso APT Gh0st Malware Hash - Detect author: pussycat0x severity: info - reference: + reference: - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar tags: malware,apt,codoso diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml index 4927e17366..dad250bf30 100644 --- a/file/malware/hash/codoso-pgv-malware-hash.yaml +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -20,4 +20,5 @@ file: - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" - - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" \ No newline at end of file + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-plugx-malware-hash.yaml b/file/malware/hash/codoso-plugx-malware-hash.yaml index 6f28c6c836..f0884b566b 100644 --- a/file/malware/hash/codoso-plugx-malware-hash.yaml +++ b/file/malware/hash/codoso-plugx-malware-hash.yaml @@ -5,7 +5,7 @@ info: severity: info description: | Detects Codoso APT PlugX Malware. - reference: + reference: - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar tags: malware,apt,codoso diff --git a/file/malware/hash/ironPanda-htran-malware-hash.yaml b/file/malware/hash/ironPanda-htran-malware-hash.yaml index 9044c3a27e..3a237e8ca3 100644 --- a/file/malware/hash/ironPanda-htran-malware-hash.yaml +++ b/file/malware/hash/ironPanda-htran-malware-hash.yaml @@ -1,4 +1,4 @@ -id: ironPanda-htran-malware-hash +id: ironpanda-htran-malware-hash info: name: Iron Panda Malware Htran Hash - Detect author: pussycat0x @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" - + - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml index 78ce70e8ad..696a548481 100644 --- a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml +++ b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" - + - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file diff --git a/file/malware/hash/locky-ransomware-hash.yaml b/file/malware/hash/locky-ransomware-hash.yaml index 05dca81de7..0e90f1e79e 100644 --- a/file/malware/hash/locky-ransomware-hash.yaml +++ b/file/malware/hash/locky-ransomware-hash.yaml @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" - + - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file diff --git a/file/malware/hash/passcv-signingcert-malware-hash.yaml b/file/malware/hash/passcv-signingcert-malware-hash.yaml index 665d68140e..d2f38966aa 100644 --- a/file/malware/hash/passcv-signingcert-malware-hash.yaml +++ b/file/malware/hash/passcv-signingcert-malware-hash.yaml @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" - + - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file diff --git a/file/malware/hash/red-leaves-malware-hash.yaml b/file/malware/hash/red-leaves-malware-hash.yaml index b131749599..06a4716156 100644 --- a/file/malware/hash/red-leaves-malware-hash.yaml +++ b/file/malware/hash/red-leaves-malware-hash.yaml @@ -17,5 +17,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" - + - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file diff --git a/file/malware/hash/revil-ransomware-hash.yaml b/file/malware/hash/revil-ransomware-hash.yaml index 9d6c61a8fa..61adf28cd9 100644 --- a/file/malware/hash/revil-ransomware-hash.yaml +++ b/file/malware/hash/revil-ransomware-hash.yaml @@ -4,7 +4,7 @@ info: author: pussycat0x severity: info description: - Detect Revil Ransomware. + Detect Revil Ransomware. reference: - https://angle.ankura.com/post/102hcny/revix-linux-ransomware - https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Revix.yar diff --git a/file/malware/hash/rokrat-malware-hash.yaml b/file/malware/hash/rokrat-malware-hash.yaml index a531c05afa..e87b5e645e 100644 --- a/file/malware/hash/rokrat-malware-hash.yaml +++ b/file/malware/hash/rokrat-malware-hash.yaml @@ -2,7 +2,7 @@ id: rokrat-malware-hash info: name: ROKRAT Loader Malware Hash- Detect author: pussycat0x - severity: info + severity: info description: | Designed to catch loader observed used with ROKRAT malware reference: diff --git a/file/malware/hash/seaduke-malware-hash.yaml b/file/malware/hash/seaduke-malware-hash.yaml index 183975b755..42ed6c7871 100644 --- a/file/malware/hash/seaduke-malware-hash.yaml +++ b/file/malware/hash/seaduke-malware-hash.yaml @@ -15,5 +15,4 @@ file: matchers: type: dsl dsl: - - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" - + - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file diff --git a/file/malware/hash/sofacy-Winexe-malware-hash.yaml b/file/malware/hash/sofacy-Winexe-malware-hash.yaml index d11191b9e4..90dd6d8329 100644 --- a/file/malware/hash/sofacy-Winexe-malware-hash.yaml +++ b/file/malware/hash/sofacy-Winexe-malware-hash.yaml @@ -1,4 +1,4 @@ -id: sofacy-Winexe-malware-hash +id: sofacy-winexe-malware-hash info: name: Sofacy Group Winexe Tool Hash - Detect author: pussycat0x diff --git a/file/malware/hash/sofacy-bundestag-malware-hash.yaml b/file/malware/hash/sofacy-bundestag-malware-hash.yaml index 3b424a0a15..7d27e960c4 100644 --- a/file/malware/hash/sofacy-bundestag-malware-hash.yaml +++ b/file/malware/hash/sofacy-bundestag-malware-hash.yaml @@ -19,4 +19,4 @@ file: dsl: - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" - condition: or + condition: or diff --git a/file/malware/hash/turla-malware-hash.yaml b/file/malware/hash/turla-malware-hash.yaml index 29a0af280a..de64dd35bc 100644 --- a/file/malware/hash/turla-malware-hash.yaml +++ b/file/malware/hash/turla-malware-hash.yaml @@ -2,7 +2,7 @@ id: turla-malware-hash info: name: Turla APT Malware - Detect author: pussycat0x - severity: info + severity: info description: Detects Turla malware based on sample used in the RUAG APT case reference: | https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case @@ -26,4 +26,4 @@ file: - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" - condition: or + condition: or \ No newline at end of file diff --git a/file/malware/hash/wildneutron-malware-hash.yaml b/file/malware/hash/wildneutron-malware-hash.yaml index b3c9b242b0..1c1a5cfd67 100644 --- a/file/malware/hash/wildneutron-malware-hash.yaml +++ b/file/malware/hash/wildneutron-malware-hash.yaml @@ -2,7 +2,7 @@ id: wildneutron-malware-hash info: name: WildNeutron APT Sample Hash - Detect author: pussycat0x - severity: info + severity: info description: | Wild Neutron APT Sample Rule based on file hash reference: | From 687b9c6e63b39e715ed31005f70c97b54fd44c8e Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 20 Jun 2024 15:33:32 +0530 Subject: [PATCH 5/8] Update codoso-pgv-malware-hash.yaml --- file/malware/hash/codoso-pgv-malware-hash.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml index dad250bf30..bb8b669e28 100644 --- a/file/malware/hash/codoso-pgv-malware-hash.yaml +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -4,8 +4,8 @@ info: author: pussycat0x severity: info description: | - Detects Codoso APT PGV_PVID Malware - reference: + Detects Codoso APT PGV_PVID Malware. + reference: - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar tags: malware,apt,codoso @@ -21,4 +21,4 @@ file: - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - condition: or \ No newline at end of file + condition: or From 99d2fc0f6574258d70152aea4958e4f4a64a62f0 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 20 Jun 2024 18:08:35 +0530 Subject: [PATCH 6/8] update --- .../hash/anthem-deeppanda-malware-hash.yaml | 14 ++--- .../hash/blackenergy-driver-amdide-hash.yaml | 24 ++++---- .../hash/blackenergy-driver-malware-hash.yaml | 26 ++++---- .../hash/bluetermite-emdivi-malware-hash.yaml | 40 ++++++------- .../hash/bluetermite-emdivi-sfx-hash.yaml | 14 ++--- .../hash/cheshirecat-malware-hash.yaml | 18 +++--- file/malware/hash/cloudduke-malware-hash.yaml | 40 ++++++------- file/malware/hash/codoso-gh0st-malware.yaml | 18 +++--- file/malware/hash/codoso-malware-hash.yaml | 22 +++---- .../malware/hash/codoso-pgv-malware-hash.yaml | 18 ++++-- .../hash/codoso-plugx-malware-hash.yaml | 18 +++--- file/malware/hash/dubnium-malware-hash.yaml | 58 +++++++++--------- .../hash/dubnium-sshopenssl-malware-hash.yaml | 22 +++---- file/malware/hash/emissary-malware-hash.yaml | 36 +++++------ file/malware/hash/fakem-malware-hash.yaml | 33 +++++----- file/malware/hash/furtim-malware-hash.yaml | 14 ++--- file/malware/hash/greenbug-malware-hash.yaml | 34 +++++------ .../hash/industroyer-malware-hash.yaml | 28 ++++----- .../hash/ironPanda-htran-malware-hash.yaml | 10 ++-- .../ironpanda-dnstunclient-malware-hash.yaml | 10 ++-- file/malware/hash/ironpanda-malware-hash.yaml | 18 +++--- file/malware/hash/locky-ransomware-hash.yaml | 10 ++-- .../minidionis-readerview-malware-hash.yaml | 22 +++---- .../hash/minidionis-vbs-malware-hash.yaml | 10 ++-- .../malware/hash/naikon-apt-malware-hash.yaml | 14 ++--- file/malware/hash/neuron2-malware-hash.yaml | 14 ++--- file/malware/hash/oilrig-malware-hash.yaml | 60 +++++++++---------- .../hash/passcv-ntscan-malware-hash.yaml | 10 ++-- .../hash/passcv-sabre-malware-hash.yaml | 28 ++++----- .../hash/passcv-signingcert-malware-hash.yaml | 10 ++-- file/malware/hash/petya-ransomware-hash.yaml | 8 +-- .../poseidongroup-maldoc-malware-hash.yaml | 26 ++++---- .../hash/poseidongroup-malware-hash.yaml | 24 ++++---- .../malware/hash/purplewave-malware-hash.yaml | 28 ++++----- .../malware/hash/red-leaves-malware-hash.yaml | 10 ++-- file/malware/hash/revil-ransomware-hash.yaml | 17 +++--- file/malware/hash/rokrat-malware-hash.yaml | 8 +-- file/malware/hash/sauron-malware-hash.yaml | 24 ++++---- file/malware/hash/seaduke-malware-hash.yaml | 10 ++-- file/malware/hash/sfx1-malware-hash.yaml | 14 ++--- .../hash/sfxrar-acrotray-malware-hash.yaml | 16 ++--- .../hash/sofacy-Winexe-malware-hash.yaml | 10 ++-- .../hash/sofacy-bundestag-malware-hash.yaml | 14 ++--- .../hash/sofacy-fybis-malware-hash.yaml | 16 ++--- file/malware/hash/tidepool-malware-hash.yaml | 18 +++--- file/malware/hash/turla-malware-hash.yaml | 30 +++++----- file/malware/hash/unit78020-malware-hash.yaml | 22 +++---- .../hash/wildneutron-malware-hash.yaml | 32 +++++----- 48 files changed, 516 insertions(+), 504 deletions(-) diff --git a/file/malware/hash/anthem-deeppanda-malware-hash.yaml b/file/malware/hash/anthem-deeppanda-malware-hash.yaml index bda4cb8072..d3ade4ee2c 100644 --- a/file/malware/hash/anthem-deeppanda-malware-hash.yaml +++ b/file/malware/hash/anthem-deeppanda-malware-hash.yaml @@ -10,12 +10,12 @@ info: tags: malware,deeppanda file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'" - - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'" + - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'" + condition: or diff --git a/file/malware/hash/blackenergy-driver-amdide-hash.yaml b/file/malware/hash/blackenergy-driver-amdide-hash.yaml index 1416dfb755..0bdfde5343 100644 --- a/file/malware/hash/blackenergy-driver-amdide-hash.yaml +++ b/file/malware/hash/blackenergy-driver-amdide-hash.yaml @@ -8,17 +8,17 @@ info: tag: malware,blackenergy file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" - - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" - - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" - - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" - - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" - - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" - - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" + - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" + - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" + - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" + - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" + - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" + - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" + condition: or diff --git a/file/malware/hash/blackenergy-driver-malware-hash.yaml b/file/malware/hash/blackenergy-driver-malware-hash.yaml index 7f3f98507e..ba0cc65e80 100644 --- a/file/malware/hash/blackenergy-driver-malware-hash.yaml +++ b/file/malware/hash/blackenergy-driver-malware-hash.yaml @@ -9,18 +9,18 @@ info: tags: malware,blackenergy file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'" - - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'" - - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'" - - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'" - - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'" - - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'" - - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'" - - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'" + - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'" + - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'" + - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'" + - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'" + - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'" + - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'" + - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'" + condition: or diff --git a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml index 040782d212..964d0dc509 100644 --- a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml +++ b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml @@ -9,25 +9,25 @@ info: tags: malware,bluetermite file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" - - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" - - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" - - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" - - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'" - - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'" - - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'" - - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" - - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" - - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" - - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" - - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" - - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" - - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" - - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'" + - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'" + - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml index 05e5bb88e2..22a895caa0 100644 --- a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml +++ b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml @@ -9,12 +9,12 @@ info: tags: malware,bluetermite file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'" - - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'" + - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'" + condition: or diff --git a/file/malware/hash/cheshirecat-malware-hash.yaml b/file/malware/hash/cheshirecat-malware-hash.yaml index 351a05e2fb..f1e02e0ecc 100644 --- a/file/malware/hash/cheshirecat-malware-hash.yaml +++ b/file/malware/hash/cheshirecat-malware-hash.yaml @@ -9,14 +9,14 @@ info: tags: malware,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'" - - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'" - - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'" - - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'" + - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'" + - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'" + - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'" + condition: or diff --git a/file/malware/hash/cloudduke-malware-hash.yaml b/file/malware/hash/cloudduke-malware-hash.yaml index 5d753b6036..3b155c5fbf 100644 --- a/file/malware/hash/cloudduke-malware-hash.yaml +++ b/file/malware/hash/cloudduke-malware-hash.yaml @@ -9,25 +9,25 @@ info: tags: malware,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-gh0st-malware.yaml b/file/malware/hash/codoso-gh0st-malware.yaml index 51dbbc7495..39268274b4 100644 --- a/file/malware/hash/codoso-gh0st-malware.yaml +++ b/file/malware/hash/codoso-gh0st-malware.yaml @@ -9,14 +9,14 @@ info: tags: malware,apt,codoso file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'" - - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'" - - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'" - - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'" + - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'" + - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'" + - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'" + condition: or diff --git a/file/malware/hash/codoso-malware-hash.yaml b/file/malware/hash/codoso-malware-hash.yaml index 4486e11cce..53e46b086d 100644 --- a/file/malware/hash/codoso-malware-hash.yaml +++ b/file/malware/hash/codoso-malware-hash.yaml @@ -11,16 +11,16 @@ info: tags: malware,apt,codoso file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" - - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" - - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" - - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" - - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" - - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" + - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" + - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" + - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" + - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" + - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" + condition: or diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml index dad250bf30..c6612ab3fd 100644 --- a/file/malware/hash/codoso-pgv-malware-hash.yaml +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -4,21 +4,31 @@ info: author: pussycat0x severity: info description: | - Detects Codoso APT PGV_PVID Malware - reference: + Detects Codoso APT PGV_PVID Malware. + reference: - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar tags: malware,apt,codoso file: - extensions: + - extensions: - all matchers: +<<<<<<< HEAD + - type: dsl + dsl: + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" + - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + condition: or +======= type: dsl dsl: - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - condition: or \ No newline at end of file + condition: or +>>>>>>> 687b9c6e63b39e715ed31005f70c97b54fd44c8e diff --git a/file/malware/hash/codoso-plugx-malware-hash.yaml b/file/malware/hash/codoso-plugx-malware-hash.yaml index f0884b566b..272333b851 100644 --- a/file/malware/hash/codoso-plugx-malware-hash.yaml +++ b/file/malware/hash/codoso-plugx-malware-hash.yaml @@ -11,14 +11,14 @@ info: tags: malware,apt,codoso file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'" - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + condition: or diff --git a/file/malware/hash/dubnium-malware-hash.yaml b/file/malware/hash/dubnium-malware-hash.yaml index fdfa9dcd68..5d8aa8e443 100644 --- a/file/malware/hash/dubnium-malware-hash.yaml +++ b/file/malware/hash/dubnium-malware-hash.yaml @@ -10,34 +10,34 @@ info: tags: malware,dubnium file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'" - - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'" - - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'" - - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" - - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'" + - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'" + - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml index 05606c7e0f..46a7dcfde6 100644 --- a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml +++ b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml @@ -10,16 +10,16 @@ info: tags: malware,Dubnium,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/emissary-malware-hash.yaml b/file/malware/hash/emissary-malware-hash.yaml index dd2cdda30a..49a012292b 100644 --- a/file/malware/hash/emissary-malware-hash.yaml +++ b/file/malware/hash/emissary-malware-hash.yaml @@ -10,23 +10,23 @@ info: tags: malware,emissary,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'" - - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'" - - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'" - - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'" - - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'" - - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'" - - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'" - - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'" - - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'" - - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'" - - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'" - - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'" - - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'" + - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'" + - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'" + - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'" + - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'" + - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'" + - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'" + - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'" + - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'" + - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'" + - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'" + - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'" + - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'" + condition: or diff --git a/file/malware/hash/fakem-malware-hash.yaml b/file/malware/hash/fakem-malware-hash.yaml index 7c544868af..85f755b7af 100644 --- a/file/malware/hash/fakem-malware-hash.yaml +++ b/file/malware/hash/fakem-malware-hash.yaml @@ -11,20 +11,21 @@ info: tags: malware,apt,fakem file: - extensions: - - all + - extensions: + - all + matchers: - type: dsl - dsl: - - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'" - - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'" - - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'" - - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'" - - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'" - - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'" - - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'" - - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'" - - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'" - - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'" - - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'" + - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'" + - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'" + - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'" + - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'" + - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'" + - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'" + - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'" + - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'" + - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'" + - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'" + condition: or diff --git a/file/malware/hash/furtim-malware-hash.yaml b/file/malware/hash/furtim-malware-hash.yaml index 0b4455f568..599006f431 100644 --- a/file/malware/hash/furtim-malware-hash.yaml +++ b/file/malware/hash/furtim-malware-hash.yaml @@ -11,12 +11,12 @@ info: tags: malware,apt,furtim file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'" - - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'" + - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'" + condition: or diff --git a/file/malware/hash/greenbug-malware-hash.yaml b/file/malware/hash/greenbug-malware-hash.yaml index 10ba934f94..292f206408 100644 --- a/file/malware/hash/greenbug-malware-hash.yaml +++ b/file/malware/hash/greenbug-malware-hash.yaml @@ -11,22 +11,22 @@ info: tags: malware,Greenbug file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'" - - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'" - - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'" - - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'" - - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" - - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" - - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" - - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" - - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" - - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" - - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" - - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'" + - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'" + - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'" + - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/industroyer-malware-hash.yaml b/file/malware/hash/industroyer-malware-hash.yaml index 9a4ccf54db..c66c5d3756 100644 --- a/file/malware/hash/industroyer-malware-hash.yaml +++ b/file/malware/hash/industroyer-malware-hash.yaml @@ -10,19 +10,19 @@ info: tags: malware,industroyer,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'" - - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'" - - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'" - - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'" - - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'" - - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'" - - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'" - - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'" - - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'" + - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'" + - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'" + - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'" + - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'" + - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'" + - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'" + - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'" + - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'" + condition: or diff --git a/file/malware/hash/ironPanda-htran-malware-hash.yaml b/file/malware/hash/ironPanda-htran-malware-hash.yaml index 3a237e8ca3..be3cbf2f79 100644 --- a/file/malware/hash/ironPanda-htran-malware-hash.yaml +++ b/file/malware/hash/ironPanda-htran-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,ironpanda file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml index 696a548481..cf23adaea5 100644 --- a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml +++ b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,ironpanda file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-malware-hash.yaml b/file/malware/hash/ironpanda-malware-hash.yaml index 241e17b3cd..2cd5242c76 100644 --- a/file/malware/hash/ironpanda-malware-hash.yaml +++ b/file/malware/hash/ironpanda-malware-hash.yaml @@ -9,14 +9,14 @@ info: tags: malware,IronPanda file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'" - - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'" - - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'" - - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'" + - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'" + - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'" + - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'" + condition: or diff --git a/file/malware/hash/locky-ransomware-hash.yaml b/file/malware/hash/locky-ransomware-hash.yaml index 0e90f1e79e..bd15b7ff67 100644 --- a/file/malware/hash/locky-ransomware-hash.yaml +++ b/file/malware/hash/locky-ransomware-hash.yaml @@ -11,10 +11,10 @@ info: tags: ransomware,malware file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file diff --git a/file/malware/hash/minidionis-readerview-malware-hash.yaml b/file/malware/hash/minidionis-readerview-malware-hash.yaml index 1a03e309bc..49d3c5925f 100644 --- a/file/malware/hash/minidionis-readerview-malware-hash.yaml +++ b/file/malware/hash/minidionis-readerview-malware-hash.yaml @@ -11,16 +11,16 @@ info: tags: malware,minidionis file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or diff --git a/file/malware/hash/minidionis-vbs-malware-hash.yaml b/file/malware/hash/minidionis-vbs-malware-hash.yaml index 833c4a0c82..1c4a0c6d05 100644 --- a/file/malware/hash/minidionis-vbs-malware-hash.yaml +++ b/file/malware/hash/minidionis-vbs-malware-hash.yaml @@ -10,10 +10,10 @@ info: tags: malware,minidionis file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'" + - type: dsl + dsl: + - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'" diff --git a/file/malware/hash/naikon-apt-malware-hash.yaml b/file/malware/hash/naikon-apt-malware-hash.yaml index 7e7011d5b1..ddb8f9177a 100644 --- a/file/malware/hash/naikon-apt-malware-hash.yaml +++ b/file/malware/hash/naikon-apt-malware-hash.yaml @@ -8,12 +8,12 @@ info: tags: malware,naikon file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'" - - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'" + - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'" + condition: or diff --git a/file/malware/hash/neuron2-malware-hash.yaml b/file/malware/hash/neuron2-malware-hash.yaml index d90848501f..bed555af53 100644 --- a/file/malware/hash/neuron2-malware-hash.yaml +++ b/file/malware/hash/neuron2-malware-hash.yaml @@ -9,12 +9,12 @@ info: tags: malware,turla,neuron2,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'" - - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'" + - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'" + condition: or diff --git a/file/malware/hash/oilrig-malware-hash.yaml b/file/malware/hash/oilrig-malware-hash.yaml index 62bf87eb9c..cbd6353198 100644 --- a/file/malware/hash/oilrig-malware-hash.yaml +++ b/file/malware/hash/oilrig-malware-hash.yaml @@ -11,35 +11,35 @@ info: tags: malware,oilrig,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'" - - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'" - - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'" - - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'" - - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'" - - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'" - - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'" - - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'" - - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'" - - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'" - - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'" - - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'" - - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'" - - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'" - - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'" - - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'" - - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'" - - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'" - - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'" - - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'" - - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'" - - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'" - - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'" - - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'" - - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'" + - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'" + - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'" + - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'" + - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'" + - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'" + - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'" + - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'" + - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'" + - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'" + - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'" + - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'" + - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'" + - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'" + - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'" + - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'" + - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'" + - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'" + - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'" + - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'" + - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'" + - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'" + - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'" + - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'" + - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'" + condition: or diff --git a/file/malware/hash/passcv-ntscan-malware-hash.yaml b/file/malware/hash/passcv-ntscan-malware-hash.yaml index 3a03868558..9fbb090bde 100644 --- a/file/malware/hash/passcv-ntscan-malware-hash.yaml +++ b/file/malware/hash/passcv-ntscan-malware-hash.yaml @@ -10,10 +10,10 @@ info: tags: malware,passcv file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'" + - type: dsl + dsl: + - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'" diff --git a/file/malware/hash/passcv-sabre-malware-hash.yaml b/file/malware/hash/passcv-sabre-malware-hash.yaml index f3baf97e41..9a3a004ed8 100644 --- a/file/malware/hash/passcv-sabre-malware-hash.yaml +++ b/file/malware/hash/passcv-sabre-malware-hash.yaml @@ -11,19 +11,19 @@ info: tags: malware,passcv file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'" - - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'" - - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'" - - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'" - - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'" - - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'" - - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'" - - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'" - - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'" + - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'" + - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'" + - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'" + - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'" + - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'" + - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'" + - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'" + - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'" + condition: or diff --git a/file/malware/hash/passcv-signingcert-malware-hash.yaml b/file/malware/hash/passcv-signingcert-malware-hash.yaml index d2f38966aa..29dd4de59e 100644 --- a/file/malware/hash/passcv-signingcert-malware-hash.yaml +++ b/file/malware/hash/passcv-signingcert-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,passcv file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file diff --git a/file/malware/hash/petya-ransomware-hash.yaml b/file/malware/hash/petya-ransomware-hash.yaml index a4ced71871..c365c43943 100644 --- a/file/malware/hash/petya-ransomware-hash.yaml +++ b/file/malware/hash/petya-ransomware-hash.yaml @@ -10,10 +10,10 @@ info: tags: ransomware,malware file: - extensions: + - extensions: - all matchers: - type: dsl - dsl: - - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'" + - type: dsl + dsl: + - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'" diff --git a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml index 8f0f4d8467..218921c76b 100644 --- a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml +++ b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml @@ -10,18 +10,18 @@ info: tags: malware,poseidon file: - extensions: - - doc - - docx + - extensions: + - doc + - docx matchers: - type: dsl - dsl: - - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'" - - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'" - - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'" - - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'" - - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'" - - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'" - - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'" + - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'" + - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'" + - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'" + - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'" + - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'" + - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'" + condition: or diff --git a/file/malware/hash/poseidongroup-malware-hash.yaml b/file/malware/hash/poseidongroup-malware-hash.yaml index 8a13db558d..c35c402241 100644 --- a/file/malware/hash/poseidongroup-malware-hash.yaml +++ b/file/malware/hash/poseidongroup-malware-hash.yaml @@ -10,17 +10,17 @@ info: tags: malware file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'" - - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'" - - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'" - - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'" - - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'" - - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'" - - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'" + - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'" + - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'" + - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'" + - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'" + - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'" + - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'" + condition: or diff --git a/file/malware/hash/purplewave-malware-hash.yaml b/file/malware/hash/purplewave-malware-hash.yaml index 8492e1a9c7..6ee8e00cd5 100644 --- a/file/malware/hash/purplewave-malware-hash.yaml +++ b/file/malware/hash/purplewave-malware-hash.yaml @@ -9,19 +9,19 @@ info: tags: malware,apt,purplewave file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" - - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" - - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" - - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" - - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" - - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" - - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" - - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" - - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" + - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" + - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" + - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" + - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" + - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" + - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" + - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" + - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" + condition: or diff --git a/file/malware/hash/red-leaves-malware-hash.yaml b/file/malware/hash/red-leaves-malware-hash.yaml index 06a4716156..6a5eef6859 100644 --- a/file/malware/hash/red-leaves-malware-hash.yaml +++ b/file/malware/hash/red-leaves-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,apt,red-leaves file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file diff --git a/file/malware/hash/revil-ransomware-hash.yaml b/file/malware/hash/revil-ransomware-hash.yaml index 61adf28cd9..2e441956a5 100644 --- a/file/malware/hash/revil-ransomware-hash.yaml +++ b/file/malware/hash/revil-ransomware-hash.yaml @@ -11,12 +11,13 @@ info: tags: ransomware,malware file: - extensions: - - all + - extensions: + - all + matchers: - type: dsl - dsl: - - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'" - - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'" - - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'" + - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'" + - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'" + condition: or diff --git a/file/malware/hash/rokrat-malware-hash.yaml b/file/malware/hash/rokrat-malware-hash.yaml index e87b5e645e..f28b8b56a2 100644 --- a/file/malware/hash/rokrat-malware-hash.yaml +++ b/file/malware/hash/rokrat-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,taudprkapt file: - extensions: + - extensions: - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'" \ No newline at end of file diff --git a/file/malware/hash/sauron-malware-hash.yaml b/file/malware/hash/sauron-malware-hash.yaml index 971ab64786..5f5b46eeb3 100644 --- a/file/malware/hash/sauron-malware-hash.yaml +++ b/file/malware/hash/sauron-malware-hash.yaml @@ -10,17 +10,17 @@ info: tags: malware,apt,sauron file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'" - - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'" - - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'" - - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'" - - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'" - - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'" - - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'" + - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'" + - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'" + - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'" + - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'" + - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'" + - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'" + condition: or diff --git a/file/malware/hash/seaduke-malware-hash.yaml b/file/malware/hash/seaduke-malware-hash.yaml index 42ed6c7871..4b7f2f119e 100644 --- a/file/malware/hash/seaduke-malware-hash.yaml +++ b/file/malware/hash/seaduke-malware-hash.yaml @@ -9,10 +9,10 @@ info: tags: malware,seaduke file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file diff --git a/file/malware/hash/sfx1-malware-hash.yaml b/file/malware/hash/sfx1-malware-hash.yaml index 7158918abc..c763fff943 100644 --- a/file/malware/hash/sfx1-malware-hash.yaml +++ b/file/malware/hash/sfx1-malware-hash.yaml @@ -10,12 +10,12 @@ info: tags: malware,sfx1 file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'" - - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'" + - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'" + condition: or diff --git a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml index ea95e45d7a..c0d5f62dd4 100644 --- a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml +++ b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml @@ -9,13 +9,13 @@ info: tags: malware,apt,sfx file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'" - - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'" - - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'" + - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'" + - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/sofacy-Winexe-malware-hash.yaml b/file/malware/hash/sofacy-Winexe-malware-hash.yaml index 90dd6d8329..0306f2f9de 100644 --- a/file/malware/hash/sofacy-Winexe-malware-hash.yaml +++ b/file/malware/hash/sofacy-Winexe-malware-hash.yaml @@ -11,10 +11,10 @@ info: tags: malware,sofacy file: - extensions: - - exe + - extensions: + - exe matchers: - type: dsl - dsl: - - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'" + - type: dsl + dsl: + - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'" diff --git a/file/malware/hash/sofacy-bundestag-malware-hash.yaml b/file/malware/hash/sofacy-bundestag-malware-hash.yaml index 7d27e960c4..40d4c6ae20 100644 --- a/file/malware/hash/sofacy-bundestag-malware-hash.yaml +++ b/file/malware/hash/sofacy-bundestag-malware-hash.yaml @@ -11,12 +11,12 @@ info: tags: malware,sofacy file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" - - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" + - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" + condition: or diff --git a/file/malware/hash/sofacy-fybis-malware-hash.yaml b/file/malware/hash/sofacy-fybis-malware-hash.yaml index a285d60b0c..bce5e40be5 100644 --- a/file/malware/hash/sofacy-fybis-malware-hash.yaml +++ b/file/malware/hash/sofacy-fybis-malware-hash.yaml @@ -9,13 +9,13 @@ info: tags: malware,sofacy file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'" - - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'" - - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'" + - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'" + - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'" + condition: or diff --git a/file/malware/hash/tidepool-malware-hash.yaml b/file/malware/hash/tidepool-malware-hash.yaml index 7346f6a7a4..8cf1c20e7f 100644 --- a/file/malware/hash/tidepool-malware-hash.yaml +++ b/file/malware/hash/tidepool-malware-hash.yaml @@ -11,14 +11,14 @@ info: tags: malware,tidepool file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'" - - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'" - - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'" - - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'" + - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'" + - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'" + - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'" + condition: or diff --git a/file/malware/hash/turla-malware-hash.yaml b/file/malware/hash/turla-malware-hash.yaml index de64dd35bc..831b2188c4 100644 --- a/file/malware/hash/turla-malware-hash.yaml +++ b/file/malware/hash/turla-malware-hash.yaml @@ -10,20 +10,20 @@ info: tags: malware,turla,apt,ruag file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" - - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" - - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" - - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" - - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" - - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" - - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" - - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" - - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" - - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" + - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" + - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" + - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" + - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" + - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" + - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" + - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" + - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" + - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/unit78020-malware-hash.yaml b/file/malware/hash/unit78020-malware-hash.yaml index 3f1812b208..a380d5a7d9 100644 --- a/file/malware/hash/unit78020-malware-hash.yaml +++ b/file/malware/hash/unit78020-malware-hash.yaml @@ -11,16 +11,16 @@ info: tags: malware,unit78020 file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'" - - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'" - - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'" - - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'" - - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'" - - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'" - condition: or + - type: dsl + dsl: + - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'" + - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'" + - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'" + - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'" + - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'" + - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'" + condition: or diff --git a/file/malware/hash/wildneutron-malware-hash.yaml b/file/malware/hash/wildneutron-malware-hash.yaml index 1c1a5cfd67..ef44dc7f11 100644 --- a/file/malware/hash/wildneutron-malware-hash.yaml +++ b/file/malware/hash/wildneutron-malware-hash.yaml @@ -11,21 +11,21 @@ info: tags: malware,wildneutron,apt file: - extensions: - - all + - extensions: + - all matchers: - type: dsl - dsl: - - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" - - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" - - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" - - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" - - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" - - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" - - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" - - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" - - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" - - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" - - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" - condition: or \ No newline at end of file + - type: dsl + dsl: + - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" + - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" + - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" + - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" + - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" + - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" + - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" + condition: or \ No newline at end of file From 413bcc4ce8a0adf838d2fe31bbc58606e25f1e2d Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 20 Jun 2024 18:46:17 +0530 Subject: [PATCH 7/8] minor - changes --- .../hash/anthem-deeppanda-malware-hash.yaml | 12 ++-- .../hash/blackenergy-driver-amdide-hash.yaml | 24 ++++---- .../hash/blackenergy-driver-malware-hash.yaml | 24 ++++---- .../hash/bluetermite-emdivi-malware-hash.yaml | 38 ++++++------ .../hash/bluetermite-emdivi-sfx-hash.yaml | 12 ++-- .../hash/cheshirecat-malware-hash.yaml | 16 ++--- file/malware/hash/cloudduke-malware-hash.yaml | 38 ++++++------ file/malware/hash/codoso-gh0st-malware.yaml | 16 ++--- file/malware/hash/codoso-malware-hash.yaml | 20 +++---- .../malware/hash/codoso-pgv-malware-hash.yaml | 16 ++--- .../hash/codoso-plugx-malware-hash.yaml | 16 ++--- file/malware/hash/dubnium-malware-hash.yaml | 57 +++++++++--------- .../hash/dubnium-sshopenssl-malware-hash.yaml | 21 +++---- file/malware/hash/emissary-malware-hash.yaml | 35 +++++------ file/malware/hash/fakem-malware-hash.yaml | 30 +++++----- file/malware/hash/furtim-malware-hash.yaml | 12 ++-- file/malware/hash/greenbug-malware-hash.yaml | 32 +++++----- .../hash/industroyer-malware-hash.yaml | 26 ++++----- .../hash/ironPanda-htran-malware-hash.yaml | 8 +-- .../ironpanda-dnstunclient-malware-hash.yaml | 8 +-- file/malware/hash/ironpanda-malware-hash.yaml | 16 ++--- file/malware/hash/locky-ransomware-hash.yaml | 8 +-- .../minidionis-readerview-malware-hash.yaml | 20 +++---- .../hash/minidionis-vbs-malware-hash.yaml | 8 +-- .../malware/hash/naikon-apt-malware-hash.yaml | 12 ++-- file/malware/hash/neuron2-malware-hash.yaml | 12 ++-- file/malware/hash/oilrig-malware-hash.yaml | 58 +++++++++---------- .../hash/passcv-ntscan-malware-hash.yaml | 8 +-- .../hash/passcv-sabre-malware-hash.yaml | 26 ++++----- .../hash/passcv-signingcert-malware-hash.yaml | 8 +-- file/malware/hash/petya-ransomware-hash.yaml | 8 +-- .../poseidongroup-maldoc-malware-hash.yaml | 22 +++---- .../hash/poseidongroup-malware-hash.yaml | 22 +++---- .../malware/hash/purplewave-malware-hash.yaml | 26 ++++----- .../malware/hash/red-leaves-malware-hash.yaml | 8 +-- file/malware/hash/revil-ransomware-hash.yaml | 14 ++--- file/malware/hash/rokrat-malware-hash.yaml | 8 +-- file/malware/hash/sauron-malware-hash.yaml | 22 +++---- file/malware/hash/seaduke-malware-hash.yaml | 8 +-- file/malware/hash/sfx1-malware-hash.yaml | 12 ++-- .../hash/sfxrar-acrotray-malware-hash.yaml | 14 ++--- .../hash/sofacy-Winexe-malware-hash.yaml | 8 +-- .../hash/sofacy-bundestag-malware-hash.yaml | 12 ++-- .../hash/sofacy-fybis-malware-hash.yaml | 14 ++--- file/malware/hash/tidepool-malware-hash.yaml | 16 ++--- file/malware/hash/turla-malware-hash.yaml | 28 ++++----- file/malware/hash/unit78020-malware-hash.yaml | 20 +++---- .../hash/wildneutron-malware-hash.yaml | 30 +++++----- 48 files changed, 467 insertions(+), 462 deletions(-) diff --git a/file/malware/hash/anthem-deeppanda-malware-hash.yaml b/file/malware/hash/anthem-deeppanda-malware-hash.yaml index d3ade4ee2c..8c9bf630b8 100644 --- a/file/malware/hash/anthem-deeppanda-malware-hash.yaml +++ b/file/malware/hash/anthem-deeppanda-malware-hash.yaml @@ -13,9 +13,9 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'" - - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'" + - "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'" + condition: or diff --git a/file/malware/hash/blackenergy-driver-amdide-hash.yaml b/file/malware/hash/blackenergy-driver-amdide-hash.yaml index 0bdfde5343..dc80570888 100644 --- a/file/malware/hash/blackenergy-driver-amdide-hash.yaml +++ b/file/malware/hash/blackenergy-driver-amdide-hash.yaml @@ -1,6 +1,8 @@ id: blackenergy-driver-amdide-hash info: name: Blackenergy-Driver Amdide Hash - Detect + author: pussycat0x + severity: info description: | Detects the AMDIDE driver from BlackEnergy malware reference: @@ -11,14 +13,14 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" - - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" - - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" - - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" - - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" - - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" - - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" + - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" + - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" + - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" + - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" + - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" + - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" + condition: or diff --git a/file/malware/hash/blackenergy-driver-malware-hash.yaml b/file/malware/hash/blackenergy-driver-malware-hash.yaml index ba0cc65e80..716ed3a42c 100644 --- a/file/malware/hash/blackenergy-driver-malware-hash.yaml +++ b/file/malware/hash/blackenergy-driver-malware-hash.yaml @@ -12,15 +12,15 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'" - - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'" - - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'" - - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'" - - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'" - - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'" - - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'" - - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'" + - "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'" + - "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'" + - "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'" + - "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'" + - "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'" + - "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'" + - "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'" + condition: or diff --git a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml index 964d0dc509..3b2faa0675 100644 --- a/file/malware/hash/bluetermite-emdivi-malware-hash.yaml +++ b/file/malware/hash/bluetermite-emdivi-malware-hash.yaml @@ -12,22 +12,22 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" - - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" - - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" - - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" - - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'" - - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'" - - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'" - - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" - - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" - - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" - - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" - - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" - - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" - - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" - - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" - condition: or \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'" + - "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'" + - "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + - "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'" + - "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'" + - "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'" + - "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'" + - "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'" + - "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml index 22a895caa0..3f28f778d6 100644 --- a/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml +++ b/file/malware/hash/bluetermite-emdivi-sfx-hash.yaml @@ -12,9 +12,9 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'" - - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'" + - "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'" + condition: or diff --git a/file/malware/hash/cheshirecat-malware-hash.yaml b/file/malware/hash/cheshirecat-malware-hash.yaml index f1e02e0ecc..8d519923bf 100644 --- a/file/malware/hash/cheshirecat-malware-hash.yaml +++ b/file/malware/hash/cheshirecat-malware-hash.yaml @@ -12,11 +12,11 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'" - - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'" - - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'" - - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'" + - "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'" + - "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'" + - "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'" + condition: or diff --git a/file/malware/hash/cloudduke-malware-hash.yaml b/file/malware/hash/cloudduke-malware-hash.yaml index 3b155c5fbf..63cd486b98 100644 --- a/file/malware/hash/cloudduke-malware-hash.yaml +++ b/file/malware/hash/cloudduke-malware-hash.yaml @@ -12,22 +12,22 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - condition: or \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-gh0st-malware.yaml b/file/malware/hash/codoso-gh0st-malware.yaml index 39268274b4..161737bc43 100644 --- a/file/malware/hash/codoso-gh0st-malware.yaml +++ b/file/malware/hash/codoso-gh0st-malware.yaml @@ -12,11 +12,11 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'" - - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'" - - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'" - - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'" + - "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'" + - "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'" + - "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'" + condition: or diff --git a/file/malware/hash/codoso-malware-hash.yaml b/file/malware/hash/codoso-malware-hash.yaml index 53e46b086d..c3def1f955 100644 --- a/file/malware/hash/codoso-malware-hash.yaml +++ b/file/malware/hash/codoso-malware-hash.yaml @@ -14,13 +14,13 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" - - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" - - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" - - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" - - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" - - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" + - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" + - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" + - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" + - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" + - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" + condition: or diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml index f346a94739..59c7269679 100644 --- a/file/malware/hash/codoso-pgv-malware-hash.yaml +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -14,11 +14,11 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" - - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" - - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" - condition: or \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + - "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'" + - "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'" + - "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/codoso-plugx-malware-hash.yaml b/file/malware/hash/codoso-plugx-malware-hash.yaml index 272333b851..4eb060ec8b 100644 --- a/file/malware/hash/codoso-plugx-malware-hash.yaml +++ b/file/malware/hash/codoso-plugx-malware-hash.yaml @@ -14,11 +14,11 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'" - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + - "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'" + condition: or diff --git a/file/malware/hash/dubnium-malware-hash.yaml b/file/malware/hash/dubnium-malware-hash.yaml index 5d8aa8e443..716cea49e8 100644 --- a/file/malware/hash/dubnium-malware-hash.yaml +++ b/file/malware/hash/dubnium-malware-hash.yaml @@ -2,6 +2,7 @@ id: dubnium-malware-hash info: name: Dubnium Malware Hash - Detect author: pussycat0x + severity: info description: | Detects sample mentioned in the Dubnium Report reference: @@ -13,31 +14,31 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'" - - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'" - - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'" - - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" - - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" - - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'" + - "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'" + - "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'" + - "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'" + - "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml index 46a7dcfde6..879d378ea6 100644 --- a/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml +++ b/file/malware/hash/dubnium-sshopenssl-malware-hash.yaml @@ -2,6 +2,7 @@ id: dubnium-sshopenssl-malware-hash info: name: Dubnium Sample SSHOpenSSL Hash - Detect author: pussycat0x + severity: info description: | Detects sample mentioned in the Dubnium Report reference: @@ -13,13 +14,13 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" - - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" - - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" - - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" - - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" - - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'" + - "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'" + - "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'" + - "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'" + - "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'" + - "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'" + condition: or diff --git a/file/malware/hash/emissary-malware-hash.yaml b/file/malware/hash/emissary-malware-hash.yaml index 49a012292b..96d7fbea35 100644 --- a/file/malware/hash/emissary-malware-hash.yaml +++ b/file/malware/hash/emissary-malware-hash.yaml @@ -2,6 +2,7 @@ id: emissary-malware-hash info: name: Emissary APT Malware Hash - Detect author: pussycat0x + severity: info description: | Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll reference: @@ -13,20 +14,20 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'" - - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'" - - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'" - - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'" - - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'" - - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'" - - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'" - - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'" - - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'" - - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'" - - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'" - - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'" - - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'" + - "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'" + - "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'" + - "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'" + - "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'" + - "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'" + - "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'" + - "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'" + - "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'" + - "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'" + - "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'" + - "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'" + - "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/fakem-malware-hash.yaml b/file/malware/hash/fakem-malware-hash.yaml index 85f755b7af..2935d5bbe1 100644 --- a/file/malware/hash/fakem-malware-hash.yaml +++ b/file/malware/hash/fakem-malware-hash.yaml @@ -14,18 +14,18 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'" - - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'" - - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'" - - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'" - - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'" - - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'" - - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'" - - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'" - - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'" - - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'" - - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'" + - "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'" + - "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'" + - "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'" + - "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'" + - "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'" + - "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'" + - "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'" + - "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'" + - "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'" + - "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'" + condition: or diff --git a/file/malware/hash/furtim-malware-hash.yaml b/file/malware/hash/furtim-malware-hash.yaml index 599006f431..04c67fca6a 100644 --- a/file/malware/hash/furtim-malware-hash.yaml +++ b/file/malware/hash/furtim-malware-hash.yaml @@ -14,9 +14,9 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'" - - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'" + - "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'" + condition: or diff --git a/file/malware/hash/greenbug-malware-hash.yaml b/file/malware/hash/greenbug-malware-hash.yaml index 292f206408..de608feb9b 100644 --- a/file/malware/hash/greenbug-malware-hash.yaml +++ b/file/malware/hash/greenbug-malware-hash.yaml @@ -14,19 +14,19 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'" - - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'" - - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'" - - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'" - - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" - - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" - - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" - - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" - - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" - - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" - - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" - - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" - condition: or \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'" + - "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'" + - "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'" + - "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + - "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'" + - "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'" + - "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'" + - "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/industroyer-malware-hash.yaml b/file/malware/hash/industroyer-malware-hash.yaml index c66c5d3756..c1798d81c4 100644 --- a/file/malware/hash/industroyer-malware-hash.yaml +++ b/file/malware/hash/industroyer-malware-hash.yaml @@ -13,16 +13,16 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'" - - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'" - - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'" - - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'" - - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'" - - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'" - - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'" - - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'" - - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'" + - "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'" + - "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'" + - "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'" + - "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'" + - "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'" + - "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'" + - "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'" + - "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'" + condition: or diff --git a/file/malware/hash/ironPanda-htran-malware-hash.yaml b/file/malware/hash/ironPanda-htran-malware-hash.yaml index be3cbf2f79..b8cc9c0d46 100644 --- a/file/malware/hash/ironPanda-htran-malware-hash.yaml +++ b/file/malware/hash/ironPanda-htran-malware-hash.yaml @@ -14,7 +14,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml index cf23adaea5..3bacd1aef4 100644 --- a/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml +++ b/file/malware/hash/ironpanda-dnstunclient-malware-hash.yaml @@ -14,7 +14,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'" \ No newline at end of file diff --git a/file/malware/hash/ironpanda-malware-hash.yaml b/file/malware/hash/ironpanda-malware-hash.yaml index 2cd5242c76..dba97a70dd 100644 --- a/file/malware/hash/ironpanda-malware-hash.yaml +++ b/file/malware/hash/ironpanda-malware-hash.yaml @@ -12,11 +12,11 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'" - - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'" - - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'" - - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'" + - "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'" + - "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'" + - "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'" + condition: or diff --git a/file/malware/hash/locky-ransomware-hash.yaml b/file/malware/hash/locky-ransomware-hash.yaml index bd15b7ff67..8092b89a1d 100644 --- a/file/malware/hash/locky-ransomware-hash.yaml +++ b/file/malware/hash/locky-ransomware-hash.yaml @@ -14,7 +14,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'" \ No newline at end of file diff --git a/file/malware/hash/minidionis-readerview-malware-hash.yaml b/file/malware/hash/minidionis-readerview-malware-hash.yaml index 49d3c5925f..ff0bf7ff66 100644 --- a/file/malware/hash/minidionis-readerview-malware-hash.yaml +++ b/file/malware/hash/minidionis-readerview-malware-hash.yaml @@ -14,13 +14,13 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" - - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" - - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" - - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" - - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" - - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'" + - "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'" + - "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'" + - "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'" + - "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'" + - "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'" + condition: or diff --git a/file/malware/hash/minidionis-vbs-malware-hash.yaml b/file/malware/hash/minidionis-vbs-malware-hash.yaml index 1c4a0c6d05..73d5179ee0 100644 --- a/file/malware/hash/minidionis-vbs-malware-hash.yaml +++ b/file/malware/hash/minidionis-vbs-malware-hash.yaml @@ -13,7 +13,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'" + matchers: + - type: dsl + dsl: + - "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'" diff --git a/file/malware/hash/naikon-apt-malware-hash.yaml b/file/malware/hash/naikon-apt-malware-hash.yaml index ddb8f9177a..c4fc21e7ab 100644 --- a/file/malware/hash/naikon-apt-malware-hash.yaml +++ b/file/malware/hash/naikon-apt-malware-hash.yaml @@ -11,9 +11,9 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'" - - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'" + - "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'" + condition: or diff --git a/file/malware/hash/neuron2-malware-hash.yaml b/file/malware/hash/neuron2-malware-hash.yaml index bed555af53..3af07aaeb5 100644 --- a/file/malware/hash/neuron2-malware-hash.yaml +++ b/file/malware/hash/neuron2-malware-hash.yaml @@ -12,9 +12,9 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'" - - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'" + - "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'" + condition: or diff --git a/file/malware/hash/oilrig-malware-hash.yaml b/file/malware/hash/oilrig-malware-hash.yaml index cbd6353198..3317cdbd78 100644 --- a/file/malware/hash/oilrig-malware-hash.yaml +++ b/file/malware/hash/oilrig-malware-hash.yaml @@ -14,32 +14,32 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'" - - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'" - - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'" - - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'" - - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'" - - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'" - - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'" - - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'" - - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'" - - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'" - - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'" - - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'" - - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'" - - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'" - - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'" - - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'" - - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'" - - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'" - - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'" - - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'" - - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'" - - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'" - - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'" - - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'" - - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'" + - "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'" + - "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'" + - "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'" + - "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'" + - "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'" + - "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'" + - "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'" + - "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'" + - "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'" + - "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'" + - "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'" + - "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'" + - "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'" + - "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'" + - "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'" + - "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'" + - "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'" + - "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'" + - "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'" + - "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'" + - "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'" + - "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'" + - "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'" + - "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'" + condition: or diff --git a/file/malware/hash/passcv-ntscan-malware-hash.yaml b/file/malware/hash/passcv-ntscan-malware-hash.yaml index 9fbb090bde..424537662c 100644 --- a/file/malware/hash/passcv-ntscan-malware-hash.yaml +++ b/file/malware/hash/passcv-ntscan-malware-hash.yaml @@ -13,7 +13,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'" + matchers: + - type: dsl + dsl: + - "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'" \ No newline at end of file diff --git a/file/malware/hash/passcv-sabre-malware-hash.yaml b/file/malware/hash/passcv-sabre-malware-hash.yaml index 9a3a004ed8..5fddb23e59 100644 --- a/file/malware/hash/passcv-sabre-malware-hash.yaml +++ b/file/malware/hash/passcv-sabre-malware-hash.yaml @@ -14,16 +14,16 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'" - - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'" - - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'" - - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'" - - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'" - - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'" - - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'" - - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'" - - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'" + - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'" + - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'" + - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'" + - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'" + - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'" + - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'" + - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'" + - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'" + condition: or diff --git a/file/malware/hash/passcv-signingcert-malware-hash.yaml b/file/malware/hash/passcv-signingcert-malware-hash.yaml index 29dd4de59e..0557ab8fe3 100644 --- a/file/malware/hash/passcv-signingcert-malware-hash.yaml +++ b/file/malware/hash/passcv-signingcert-malware-hash.yaml @@ -14,7 +14,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'" \ No newline at end of file diff --git a/file/malware/hash/petya-ransomware-hash.yaml b/file/malware/hash/petya-ransomware-hash.yaml index c365c43943..6ffd292b58 100644 --- a/file/malware/hash/petya-ransomware-hash.yaml +++ b/file/malware/hash/petya-ransomware-hash.yaml @@ -13,7 +13,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'" + matchers: + - type: dsl + dsl: + - "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'" diff --git a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml index 218921c76b..237d217ba2 100644 --- a/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml +++ b/file/malware/hash/poseidongroup-maldoc-malware-hash.yaml @@ -14,14 +14,14 @@ file: - doc - docx - matchers: - - type: dsl - dsl: - - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'" - - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'" - - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'" - - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'" - - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'" - - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'" - - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'" + - "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'" + - "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'" + - "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'" + - "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'" + - "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'" + - "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'" + condition: or diff --git a/file/malware/hash/poseidongroup-malware-hash.yaml b/file/malware/hash/poseidongroup-malware-hash.yaml index c35c402241..9db84bd8ec 100644 --- a/file/malware/hash/poseidongroup-malware-hash.yaml +++ b/file/malware/hash/poseidongroup-malware-hash.yaml @@ -13,14 +13,14 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'" - - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'" - - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'" - - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'" - - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'" - - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'" - - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'" + - "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'" + - "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'" + - "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'" + - "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'" + - "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'" + - "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'" + condition: or diff --git a/file/malware/hash/purplewave-malware-hash.yaml b/file/malware/hash/purplewave-malware-hash.yaml index 6ee8e00cd5..f9bbc2d775 100644 --- a/file/malware/hash/purplewave-malware-hash.yaml +++ b/file/malware/hash/purplewave-malware-hash.yaml @@ -12,16 +12,16 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" - - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" - - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" - - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" - - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" - - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" - - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" - - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" - - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" + - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" + - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" + - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" + - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" + - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" + - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" + - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" + - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" + condition: or diff --git a/file/malware/hash/red-leaves-malware-hash.yaml b/file/malware/hash/red-leaves-malware-hash.yaml index 6a5eef6859..56146d3ac9 100644 --- a/file/malware/hash/red-leaves-malware-hash.yaml +++ b/file/malware/hash/red-leaves-malware-hash.yaml @@ -14,7 +14,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'" \ No newline at end of file diff --git a/file/malware/hash/revil-ransomware-hash.yaml b/file/malware/hash/revil-ransomware-hash.yaml index 2e441956a5..bbeb49e3a9 100644 --- a/file/malware/hash/revil-ransomware-hash.yaml +++ b/file/malware/hash/revil-ransomware-hash.yaml @@ -14,10 +14,10 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'" - - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'" - - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'" + - "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'" + - "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'" + condition: or diff --git a/file/malware/hash/rokrat-malware-hash.yaml b/file/malware/hash/rokrat-malware-hash.yaml index f28b8b56a2..fc25dcc792 100644 --- a/file/malware/hash/rokrat-malware-hash.yaml +++ b/file/malware/hash/rokrat-malware-hash.yaml @@ -14,7 +14,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'" \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'" \ No newline at end of file diff --git a/file/malware/hash/sauron-malware-hash.yaml b/file/malware/hash/sauron-malware-hash.yaml index 5f5b46eeb3..00d6694701 100644 --- a/file/malware/hash/sauron-malware-hash.yaml +++ b/file/malware/hash/sauron-malware-hash.yaml @@ -13,14 +13,14 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'" - - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'" - - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'" - - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'" - - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'" - - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'" - - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'" + - "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'" + - "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'" + - "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'" + - "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'" + - "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'" + - "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'" + condition: or diff --git a/file/malware/hash/seaduke-malware-hash.yaml b/file/malware/hash/seaduke-malware-hash.yaml index 4b7f2f119e..ea230ee435 100644 --- a/file/malware/hash/seaduke-malware-hash.yaml +++ b/file/malware/hash/seaduke-malware-hash.yaml @@ -12,7 +12,7 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'" \ No newline at end of file diff --git a/file/malware/hash/sfx1-malware-hash.yaml b/file/malware/hash/sfx1-malware-hash.yaml index c763fff943..2644b8af66 100644 --- a/file/malware/hash/sfx1-malware-hash.yaml +++ b/file/malware/hash/sfx1-malware-hash.yaml @@ -13,9 +13,9 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'" - - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'" + - "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'" + condition: or diff --git a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml index c0d5f62dd4..4d81949cbe 100644 --- a/file/malware/hash/sfxrar-acrotray-malware-hash.yaml +++ b/file/malware/hash/sfxrar-acrotray-malware-hash.yaml @@ -12,10 +12,10 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'" - - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'" - - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'" - condition: or \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'" + - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'" + - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/sofacy-Winexe-malware-hash.yaml b/file/malware/hash/sofacy-Winexe-malware-hash.yaml index 0306f2f9de..db4db62626 100644 --- a/file/malware/hash/sofacy-Winexe-malware-hash.yaml +++ b/file/malware/hash/sofacy-Winexe-malware-hash.yaml @@ -14,7 +14,7 @@ file: - extensions: - exe - matchers: - - type: dsl - dsl: - - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'" + matchers: + - type: dsl + dsl: + - "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'" diff --git a/file/malware/hash/sofacy-bundestag-malware-hash.yaml b/file/malware/hash/sofacy-bundestag-malware-hash.yaml index 40d4c6ae20..30a09f0a27 100644 --- a/file/malware/hash/sofacy-bundestag-malware-hash.yaml +++ b/file/malware/hash/sofacy-bundestag-malware-hash.yaml @@ -14,9 +14,9 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" - - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'" + - "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'" + condition: or diff --git a/file/malware/hash/sofacy-fybis-malware-hash.yaml b/file/malware/hash/sofacy-fybis-malware-hash.yaml index bce5e40be5..16b7ef433c 100644 --- a/file/malware/hash/sofacy-fybis-malware-hash.yaml +++ b/file/malware/hash/sofacy-fybis-malware-hash.yaml @@ -12,10 +12,10 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'" - - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'" - - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'" + - "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'" + - "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'" + condition: or diff --git a/file/malware/hash/tidepool-malware-hash.yaml b/file/malware/hash/tidepool-malware-hash.yaml index 8cf1c20e7f..ca7773b2b2 100644 --- a/file/malware/hash/tidepool-malware-hash.yaml +++ b/file/malware/hash/tidepool-malware-hash.yaml @@ -14,11 +14,11 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'" - - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'" - - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'" - - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'" + - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'" + - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'" + - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'" + condition: or diff --git a/file/malware/hash/turla-malware-hash.yaml b/file/malware/hash/turla-malware-hash.yaml index 831b2188c4..4ec1736272 100644 --- a/file/malware/hash/turla-malware-hash.yaml +++ b/file/malware/hash/turla-malware-hash.yaml @@ -13,17 +13,17 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" - - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" - - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" - - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" - - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" - - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" - - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" - - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" - - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" - - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" - condition: or \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" + - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" + - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" + - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" + - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" + - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" + - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" + - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" + - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" + - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" + condition: or \ No newline at end of file diff --git a/file/malware/hash/unit78020-malware-hash.yaml b/file/malware/hash/unit78020-malware-hash.yaml index a380d5a7d9..2eca3c4596 100644 --- a/file/malware/hash/unit78020-malware-hash.yaml +++ b/file/malware/hash/unit78020-malware-hash.yaml @@ -14,13 +14,13 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'" - - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'" - - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'" - - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'" - - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'" - - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'" - condition: or + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'" + - "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'" + - "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'" + - "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'" + - "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'" + - "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'" + condition: or diff --git a/file/malware/hash/wildneutron-malware-hash.yaml b/file/malware/hash/wildneutron-malware-hash.yaml index ef44dc7f11..3fa705a81e 100644 --- a/file/malware/hash/wildneutron-malware-hash.yaml +++ b/file/malware/hash/wildneutron-malware-hash.yaml @@ -14,18 +14,18 @@ file: - extensions: - all - matchers: - - type: dsl - dsl: - - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" - - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" - - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" - - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" - - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" - - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" - - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" - - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" - - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" - - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" - - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" - condition: or \ No newline at end of file + matchers: + - type: dsl + dsl: + - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" + - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" + - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" + - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" + - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" + - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" + - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" + - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" + - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" + condition: or \ No newline at end of file From 8bdeeef48e09831c36695f53c35c81e2d56bb4a8 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 20 Jun 2024 18:52:40 +0530 Subject: [PATCH 8/8] indent -fix --- file/malware/hash/codoso-pgv-malware-hash.yaml | 2 +- file/malware/hash/petya-ransomware-hash.yaml | 2 +- file/malware/hash/rokrat-malware-hash.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/file/malware/hash/codoso-pgv-malware-hash.yaml b/file/malware/hash/codoso-pgv-malware-hash.yaml index 59c7269679..f94d77ca43 100644 --- a/file/malware/hash/codoso-pgv-malware-hash.yaml +++ b/file/malware/hash/codoso-pgv-malware-hash.yaml @@ -12,7 +12,7 @@ info: file: - extensions: - - all + - all matchers: - type: dsl diff --git a/file/malware/hash/petya-ransomware-hash.yaml b/file/malware/hash/petya-ransomware-hash.yaml index 6ffd292b58..54648fae7f 100644 --- a/file/malware/hash/petya-ransomware-hash.yaml +++ b/file/malware/hash/petya-ransomware-hash.yaml @@ -11,7 +11,7 @@ tags: ransomware,malware file: - extensions: - - all + - all matchers: - type: dsl diff --git a/file/malware/hash/rokrat-malware-hash.yaml b/file/malware/hash/rokrat-malware-hash.yaml index fc25dcc792..24e6390883 100644 --- a/file/malware/hash/rokrat-malware-hash.yaml +++ b/file/malware/hash/rokrat-malware-hash.yaml @@ -12,7 +12,7 @@ info: file: - extensions: - - all + - all matchers: - type: dsl