commit
d20609701f
|
@ -0,0 +1,21 @@
|
||||||
|
id: anthem-deeppanda-malware-hash
|
||||||
|
info:
|
||||||
|
name: Anthem DeepPanda Trojan Kakfum Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll
|
||||||
|
reference:
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_DeepPanda_Anthem.yar
|
||||||
|
tags: malware,deeppanda
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2'"
|
||||||
|
- "sha256(raw) == 'c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: applejeus-malware-hash
|
||||||
|
info:
|
||||||
|
name: AppleJeus Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects AppleJeus DLL samples
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/yara.yar
|
||||||
|
tags: malware,lazarus
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629'"
|
||||||
|
- "sha256(raw) == '9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78'"
|
||||||
|
- "sha256(raw) == 'a0db8f8f13a27df1eacbc01505f311f6b14cf9b84fbc7e84cb764a13f001dbbb'"
|
||||||
|
- "sha256(raw) == 'a241b6611afba8bb1de69044115483adb74f66ab4a80f7423e13c652422cb379'"
|
||||||
|
- "sha256(raw) == '17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: avburner-malware-hash
|
||||||
|
info:
|
||||||
|
name: AVBurner Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects AVBurner based on a combination of API calls used, hard-coded strings, and bytecode patterns
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2023/2023-03-07%20AVBurner/yara.yar
|
||||||
|
tags: malware,snakecharmer
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '4b1b1a1293ccd2c0fd51075de9376ebb55ab64972da785153fcb0a4eb523a5eb'"
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: backwash-malware-hash
|
||||||
|
info:
|
||||||
|
name: Backwash Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
CPP loader for the Backwash malware.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2021/2021-12-06%20-%20XEGroup/indicators/yara.yar
|
||||||
|
- https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/
|
||||||
|
tags: malware,xegroup
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '0cf93de64aa4dba6cec99aa5989fc9c5049bc46ca5f3cb327b49d62f3646a852'"
|
||||||
|
- "sha256(raw) == '21683e02e11c166d0cf616ff9a1a4405598db7f4adfc87b205082ae94f83c742'"
|
||||||
|
- "sha256(raw) == '6f44a9c13459533a1f3e0b0e698820611a18113c851f763797090b8be64fd9d5'"
|
||||||
|
- "sha256(raw) == '92f9593cfa0a28951cae36755d54de63631377f1b954a4cb0474fa0b6193c537'"
|
||||||
|
- "sha256(raw) == '815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f'"
|
||||||
|
- "sha256(raw) == '72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911'"
|
||||||
|
- "sha256(raw) == '4d913ecb91bf32fd828d2153342f5462ae6b84c1a5f256107efc88747f7ba16c'"
|
||||||
|
- "sha256(raw) == '98e39573a3d355d7fdf3439d9418fdbf4e42c2e03051b5313d5c84f3df485627'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: blackenergy-driver-amdide-hash
|
||||||
|
info:
|
||||||
|
name: Blackenergy-Driver Amdide Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects the AMDIDE driver from BlackEnergy malware
|
||||||
|
reference:
|
||||||
|
- http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
|
||||||
|
tag: malware,blackenergy
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'"
|
||||||
|
- "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'"
|
||||||
|
- "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'"
|
||||||
|
- "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'"
|
||||||
|
- "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'"
|
||||||
|
- "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'"
|
||||||
|
- "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: blackenergy-driver-malware-hash
|
||||||
|
info:
|
||||||
|
name: BlackEnergy Driver USBMDM Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Auto-generated rule - detects BlackEnergy Driver USBMDM malware
|
||||||
|
reference:
|
||||||
|
- http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry
|
||||||
|
tags: malware,blackenergy
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094'"
|
||||||
|
- "sha256(raw) == 'b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a'"
|
||||||
|
- "sha256(raw) == 'edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281'"
|
||||||
|
- "sha256(raw) == 'ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc'"
|
||||||
|
- "sha256(raw) == '7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291'"
|
||||||
|
- "sha256(raw) == '405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5'"
|
||||||
|
- "sha256(raw) == '244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5'"
|
||||||
|
- "sha256(raw) == 'edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: blackenergy-killdisk-malware-hash
|
||||||
|
info:
|
||||||
|
name: BlackEnergy KillDisk Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects KillDisk malware from BlackEnergy
|
||||||
|
reference:
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar
|
||||||
|
tags: malware,blackenergy
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80'"
|
||||||
|
- "sha256(raw) == '5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6'"
|
||||||
|
- "sha256(raw) == 'c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d'"
|
||||||
|
- "sha256(raw) == 'f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: blackenergy-ssh-malware-hash
|
||||||
|
info:
|
||||||
|
name: BlackEnergy BackdoorPass DropBear SSH Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects the password of the backdoored DropBear SSH Server - BlackEnergy
|
||||||
|
reference:
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar
|
||||||
|
tags: malware,blackenergy
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd'"
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: blackenergy-vbs-malware-hash
|
||||||
|
info:
|
||||||
|
name: BlackEnergy VBS Agent Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs
|
||||||
|
reference:
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Blackenergy.yar
|
||||||
|
tags: malware,blackenergy
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f'"
|
||||||
|
- "sha256(raw) == '0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: bluelight-malware-hash
|
||||||
|
info:
|
||||||
|
name: bluelight Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: North Korean origin malware which uses a custom Google App for C2 communications.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2021/2021-08-17%20-%20InkySquid%20Part%201/indicators/yara.yar
|
||||||
|
tags: malware,inkysquid
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed'"
|
||||||
|
- "sha256(raw) == '7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d'"
|
||||||
|
- "sha256(raw) == '94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: bluetermite-emdivi-malware-hash
|
||||||
|
info:
|
||||||
|
name: Bluetermite Emdivi Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Bluetermite_Emdivi.yar
|
||||||
|
- https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/
|
||||||
|
tags: malware,bluetermite
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'"
|
||||||
|
- "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'"
|
||||||
|
- "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'"
|
||||||
|
- "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'"
|
||||||
|
- "sha256(raw) == '9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1'"
|
||||||
|
- "sha256(raw) == 'a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012'"
|
||||||
|
- "sha256(raw) == '9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4'"
|
||||||
|
- "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'"
|
||||||
|
- "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'"
|
||||||
|
- "sha256(raw) == '008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e'"
|
||||||
|
- "sha256(raw) == '17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24'"
|
||||||
|
- "sha256(raw) == '3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1'"
|
||||||
|
- "sha256(raw) == '6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662'"
|
||||||
|
- "sha256(raw) == '90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86'"
|
||||||
|
- "sha256(raw) == 'a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: bluetermite-emdivi-sfx-hash
|
||||||
|
info:
|
||||||
|
name: Bluetermite Emdivi SFX Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Bluetermite_Emdivi.yar
|
||||||
|
tags: malware,bluetermite
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196'"
|
||||||
|
- "sha256(raw) == '8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,17 @@
|
||||||
|
id: charmingcypress-malware-hash
|
||||||
|
info:
|
||||||
|
name: CharmingCypress Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2024/2024-02-13%20CharmingCypress/rules.yar
|
||||||
|
tags: malware,cypress
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'fdc5d6caaaa4fb14e62bd42544e8bb8e9b02220e687d5936a6838a7115334c51'"
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: cheshirecat-malware-hash
|
||||||
|
info:
|
||||||
|
name: CheshireCat Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar
|
||||||
|
tags: malware,apt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300'"
|
||||||
|
- "sha256(raw) == '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a'"
|
||||||
|
- "sha256(raw) == '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb'"
|
||||||
|
- "sha256(raw) == 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: cloudduke-malware-hash
|
||||||
|
info:
|
||||||
|
name: CloudDuke Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://www.f-secure.com/weblog/archives/00002822.html
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar
|
||||||
|
tags: malware,apt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
|
||||||
|
- "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
|
||||||
|
- "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'"
|
||||||
|
- "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
|
||||||
|
- "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'"
|
||||||
|
- "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
|
||||||
|
- "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'"
|
||||||
|
- "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
|
||||||
|
- "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'"
|
||||||
|
- "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
|
||||||
|
- "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
|
||||||
|
- "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'"
|
||||||
|
- "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
|
||||||
|
- "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
|
||||||
|
- "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: codoso-gh0st-malware
|
||||||
|
info:
|
||||||
|
name: Codoso APT Gh0st Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
|
||||||
|
tags: malware,apt,codoso
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd'"
|
||||||
|
- "sha256(raw) == '5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841'"
|
||||||
|
- "sha256(raw) == '7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8'"
|
||||||
|
- "sha256(raw) == 'd7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: codoso-malware-hash
|
||||||
|
info:
|
||||||
|
name: Codoso APT Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects Codoso APT Malware.
|
||||||
|
reference:
|
||||||
|
- https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
|
||||||
|
tags: malware,apt,codoso
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'"
|
||||||
|
- "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'"
|
||||||
|
- "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'"
|
||||||
|
- "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'"
|
||||||
|
- "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'"
|
||||||
|
- "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: codoso-pgv-malware-hash
|
||||||
|
info:
|
||||||
|
name: Codoso APT PGV_PVID Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects Codoso APT PGV_PVID Malware.
|
||||||
|
reference:
|
||||||
|
- https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
|
||||||
|
tags: malware,apt,codoso
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
|
||||||
|
- "sha256(raw) == '13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75'"
|
||||||
|
- "sha256(raw) == 'bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe'"
|
||||||
|
- "sha256(raw) == '4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: codoso-plugx-malware-hash
|
||||||
|
info:
|
||||||
|
name: Codoso APT PlugX Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects Codoso APT PlugX Malware.
|
||||||
|
reference:
|
||||||
|
- https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
|
||||||
|
tags: malware,apt,codoso
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'"
|
||||||
|
- "sha256(raw) == 'b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb'"
|
||||||
|
- "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'"
|
||||||
|
- "sha256(raw) == '74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: disgomoji-malware-hash
|
||||||
|
info:
|
||||||
|
name: DISGOMOJI Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects DISGOMOJI modules based on strings in the ELF.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2024/2024-06-13%20DISGOMOJI/indicators/rules.yar
|
||||||
|
tags: malware,disgomoji
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '2abaae4f6794131108adf5b42e09ee5ce24769431a0e154feabe6052cfe70bf3'"
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: dubnium-malware-hash
|
||||||
|
info:
|
||||||
|
name: Dubnium Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects sample mentioned in the Dubnium Report
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/AW9Cuu
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Dubnium.yar
|
||||||
|
tags: malware,dubnium
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
|
||||||
|
- "sha256(raw) == 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8'"
|
||||||
|
- "sha256(raw) == 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5'"
|
||||||
|
- "sha256(raw) == 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827'"
|
||||||
|
- "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'"
|
||||||
|
- "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'"
|
||||||
|
- "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'"
|
||||||
|
- "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
|
||||||
|
- "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'"
|
||||||
|
- "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'"
|
||||||
|
- "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'"
|
||||||
|
- "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'"
|
||||||
|
- "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'"
|
||||||
|
- "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
|
||||||
|
- "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'"
|
||||||
|
- "sha256(raw) == '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba'"
|
||||||
|
- "sha256(raw) == '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'"
|
||||||
|
- "sha256(raw) == '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'"
|
||||||
|
- "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'"
|
||||||
|
- "sha256(raw) == '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b'"
|
||||||
|
- "sha256(raw) == '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0'"
|
||||||
|
- "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'"
|
||||||
|
- "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'"
|
||||||
|
- "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: dubnium-sshopenssl-malware-hash
|
||||||
|
info:
|
||||||
|
name: Dubnium Sample SSHOpenSSL Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects sample mentioned in the Dubnium Report
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/AW9Cuu
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Dubnium.yar
|
||||||
|
tags: malware,Dubnium,apt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b'"
|
||||||
|
- "sha256(raw) == 'feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8'"
|
||||||
|
- "sha256(raw) == '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf'"
|
||||||
|
- "sha256(raw) == 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f'"
|
||||||
|
- "sha256(raw) == 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9'"
|
||||||
|
- "sha256(raw) == 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: emissary-malware-hash
|
||||||
|
info:
|
||||||
|
name: Emissary APT Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll
|
||||||
|
reference:
|
||||||
|
- http://goo.gl/V0epcf
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Emissary.yar
|
||||||
|
tags: malware,emissary,apt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab'"
|
||||||
|
- "sha256(raw) == '70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629'"
|
||||||
|
- "sha256(raw) == '0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290'"
|
||||||
|
- "sha256(raw) == '69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664'"
|
||||||
|
- "sha256(raw) == '675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc'"
|
||||||
|
- "sha256(raw) == 'e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b'"
|
||||||
|
- "sha256(raw) == 'a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8'"
|
||||||
|
- "sha256(raw) == 'acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9'"
|
||||||
|
- "sha256(raw) == 'e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d'"
|
||||||
|
- "sha256(raw) == 'e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538'"
|
||||||
|
- "sha256(raw) == '29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051'"
|
||||||
|
- "sha256(raw) == '98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0'"
|
||||||
|
- "sha256(raw) == 'fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: evilbamboo-malware-hash
|
||||||
|
info:
|
||||||
|
name: EvilBamboo Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detection of the BADSOLAR and BADBAZAAR data collection files, which are shared by both malware families.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2023/2023-09-22%20EvilBamboo/indicators/rules.yar
|
||||||
|
- https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
|
||||||
|
tags: malware,evilbamboo
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'"
|
||||||
|
- "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'"
|
||||||
|
- "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'"
|
||||||
|
- "sha256(raw) == 'f7132750db2a8ca8eb9e9e5a32377aa506395d02bacbb918f835041f5f035c4c'"
|
||||||
|
- "sha256(raw) == 'daf3d2cb6f1bbb7c8d1cfb5fc0db23afc304a622ebb24aa940228be691bcda2b'"
|
||||||
|
- "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'"
|
||||||
|
- "sha256(raw) == '0fea799ce00c7d6f26ccb52a2ecbe6b9605cfb9910f2a309a841caedf3b102d7'"
|
||||||
|
- "sha256(raw) == 'f0bf154d1e90491199b66ab95c1a4071669f3322c55f3643e36c20a9fb63eb56'"
|
||||||
|
- "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'"
|
||||||
|
- "sha256(raw) == '6aefc2b33e23f6e3c96de51d07f7123bd23ff951d67849a9bd32d446e76fb405'"
|
||||||
|
- "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'"
|
||||||
|
- "sha256(raw) == 'fa9154eaa3df4ff4464b21c45362fd1c7fb5e68108ab350c05f2ca9f60263988'"
|
||||||
|
- "sha256(raw) == 'c5e8476fc6938a36438a433b48e80213e2251b1d4b20a9469912d628a86198b3'"
|
||||||
|
- "sha256(raw) == '28560642fe99b3e611510f5559a12eb41112f3e2b3005432f7343cb79ff47a34'"
|
||||||
|
- "sha256(raw) == '7995c382263f8dbbfc37a9d62392aef8b4f89357d436b3dd94dea842f9574ecf'"
|
||||||
|
- "sha256(raw) == 'efea95720853e0cd2d9d4e93a64a726cfe17efea7b17af7c4ae6d3a6acae5b30'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: fakem-malware-hash
|
||||||
|
info:
|
||||||
|
name: FakeM_Generic Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects FakeM malware samples
|
||||||
|
reference:
|
||||||
|
- http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FakeM.yar
|
||||||
|
tags: malware,apt,fakem
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3'"
|
||||||
|
- "sha256(raw) == '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520'"
|
||||||
|
- "sha256(raw) == '53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60'"
|
||||||
|
- "sha256(raw) == '4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3'"
|
||||||
|
- "sha256(raw) == '7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8'"
|
||||||
|
- "sha256(raw) == '12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d'"
|
||||||
|
- "sha256(raw) == '9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5'"
|
||||||
|
- "sha256(raw) == '3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90'"
|
||||||
|
- "sha256(raw) == '41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33'"
|
||||||
|
- "sha256(raw) == '53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e'"
|
||||||
|
- "sha256(raw) == '523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: flipflop-ldr-malware-hash
|
||||||
|
info:
|
||||||
|
name: Flipflop Loader Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2021/2021-05-27%20-%20Suspected%20APT29%20Operation%20Launches%20Election%20Fraud%20Themed%20Phishing%20Campaigns/indicators/yara.yar
|
||||||
|
tags: malware,apt29,cobaltstrike
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330'"
|
||||||
|
- "sha256(raw) == 'b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c'"
|
||||||
|
- "sha256(raw) == 'ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: furtim-malware-hash
|
||||||
|
info:
|
||||||
|
name: Furtim Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects Furtim Parent Malware.
|
||||||
|
reference:
|
||||||
|
- https://sentinelone.com/blogs/sfg-furtims-parent/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_furtim.yar
|
||||||
|
tags: malware,apt,furtim
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963'"
|
||||||
|
- "sha256(raw) == '4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: gimmick-malware-hash
|
||||||
|
info:
|
||||||
|
name: GIMMICK Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects the macOS port of the GIMMICK malware.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2022/2022-03-22%20GIMMICK/indicators/yara.yar
|
||||||
|
tags: malware,stormcloud
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f'"
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: godzilla-webshell-hash
|
||||||
|
info:
|
||||||
|
name: Godzilla Webshell Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects the JSP implementation of the Godzilla Webshell.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
|
||||||
|
- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
|
||||||
|
tags: malware,webshells
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe'"
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: greenbug-malware-hash
|
||||||
|
info:
|
||||||
|
name: Greenbug Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects Malware from Greenbug Incident
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/urp4CD
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Greenbug.yar
|
||||||
|
tags: malware,Greenbug
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76'"
|
||||||
|
- "sha256(raw) == '6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d'"
|
||||||
|
- "sha256(raw) == '21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685'"
|
||||||
|
- "sha256(raw) == '319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6'"
|
||||||
|
- "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'"
|
||||||
|
- "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'"
|
||||||
|
- "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'"
|
||||||
|
- "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'"
|
||||||
|
- "sha256(raw) == '308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f'"
|
||||||
|
- "sha256(raw) == '44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49'"
|
||||||
|
- "sha256(raw) == '7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c'"
|
||||||
|
- "sha256(raw) == '82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: ico-malware-hash
|
||||||
|
info:
|
||||||
|
name: ICO Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detection of malicious ICO files used in 3CX compromise
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/indicators/rules.yar
|
||||||
|
tags: malware,uta0040
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c'"
|
||||||
|
- "sha256(raw) == 'a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67'"
|
||||||
|
- "sha256(raw) == '8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423'"
|
||||||
|
- "sha256(raw) == 'f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952'"
|
||||||
|
- "sha256(raw) == '7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896'"
|
||||||
|
- "sha256(raw) == 'aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: industroyer-malware-hash
|
||||||
|
info:
|
||||||
|
name: Industroyer Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects Industroyer related malware
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/x81cSy
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Industroyer.yar
|
||||||
|
tags: malware,industroyer,apt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910'"
|
||||||
|
- "sha256(raw) == '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81'"
|
||||||
|
- "sha256(raw) == '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571'"
|
||||||
|
- "sha256(raw) == '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4'"
|
||||||
|
- "sha256(raw) == 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77'"
|
||||||
|
- "sha256(raw) == '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47'"
|
||||||
|
- "sha256(raw) == '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f'"
|
||||||
|
- "sha256(raw) == '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561'"
|
||||||
|
- "sha256(raw) == '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: ironpanda-htran-malware-hash
|
||||||
|
info:
|
||||||
|
name: Iron Panda Malware Htran Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Iron Panda Malware Htran
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/E4qia9
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Irontiger.yar
|
||||||
|
tags: malware,ironpanda
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7'"
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: ironpanda-dnstunclient-malware-hash
|
||||||
|
info:
|
||||||
|
name: Iron Panda malware DnsTunClient Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Iron Panda malware DnsTunClient - file named.exe
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/E4qia9
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Irontiger.yar
|
||||||
|
tags: malware,ironpanda
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431'"
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: ironpanda-malware-hash
|
||||||
|
info:
|
||||||
|
name: Iron Panda Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Iron Panda Malware
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/E4qia9
|
||||||
|
tags: malware,IronPanda
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a'"
|
||||||
|
- "sha256(raw) == 'a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91'"
|
||||||
|
- "sha256(raw) == '5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742'"
|
||||||
|
- "sha256(raw) == '0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: locky-ransomware-hash
|
||||||
|
info:
|
||||||
|
name: Locky Ransomware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects Locky Ransomware (matches also on Win32/Kuluoz)
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/qScSrE
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
|
||||||
|
tags: ransomware,malware
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8'"
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: minidionis-readerview-malware-hash
|
||||||
|
info:
|
||||||
|
name: MiniDionis Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
MiniDionis Malware - file readerView.exe / adobe.exe
|
||||||
|
reference:
|
||||||
|
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar
|
||||||
|
tags: malware,minidionis
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
|
||||||
|
- "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
|
||||||
|
- "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
|
||||||
|
- "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
|
||||||
|
- "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'"
|
||||||
|
- "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: minidionis-vbs-malware-hash
|
||||||
|
info:
|
||||||
|
name: MiniDionis VBS Dropped File Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detect Dropped File - 1.vbs
|
||||||
|
reference:
|
||||||
|
- https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar
|
||||||
|
tags: malware,minidionis
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646'"
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: naikon-apt-malware-hash
|
||||||
|
info:
|
||||||
|
name: Backdoor Naikon APT Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/7vHyvh
|
||||||
|
tags: malware,naikon
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'd5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba'"
|
||||||
|
- "sha256(raw) == 'f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: neuron2-malware-hash
|
||||||
|
info:
|
||||||
|
name: Neuron2 Loader Strings Turla APT loader Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference: |
|
||||||
|
- https://www.ncsc.gov.uk/alerts/turla-group-malware
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_Neuron.yar
|
||||||
|
tags: malware,turla,neuron2,apt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927'"
|
||||||
|
- "sha256(raw) == '83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,45 @@
|
||||||
|
id: oilrig-malware-hash
|
||||||
|
info:
|
||||||
|
name: OilRig Malware Campaign Gen1 Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects malware from OilRig Campaign
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/QMRZ8K
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Oilrig.yar
|
||||||
|
tags: malware,oilrig,apt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'd808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34'"
|
||||||
|
- "sha256(raw) == '80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e'"
|
||||||
|
- "sha256(raw) == '662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f'"
|
||||||
|
- "sha256(raw) == '903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996'"
|
||||||
|
- "sha256(raw) == 'c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da'"
|
||||||
|
- "sha256(raw) == '57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4'"
|
||||||
|
- "sha256(raw) == '1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1'"
|
||||||
|
- "sha256(raw) == '9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777'"
|
||||||
|
- "sha256(raw) == '0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e'"
|
||||||
|
- "sha256(raw) == '4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281'"
|
||||||
|
- "sha256(raw) == '4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353'"
|
||||||
|
- "sha256(raw) == 'c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51'"
|
||||||
|
- "sha256(raw) == 'f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2'"
|
||||||
|
- "sha256(raw) == '0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39'"
|
||||||
|
- "sha256(raw) == 'd874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d'"
|
||||||
|
- "sha256(raw) == '8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9'"
|
||||||
|
- "sha256(raw) == '55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579'"
|
||||||
|
- "sha256(raw) == '528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b'"
|
||||||
|
- "sha256(raw) == '93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0'"
|
||||||
|
- "sha256(raw) == 'e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa'"
|
||||||
|
- "sha256(raw) == '9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471'"
|
||||||
|
- "sha256(raw) == 'a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064'"
|
||||||
|
- "sha256(raw) == '3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff'"
|
||||||
|
- "sha256(raw) == '3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4'"
|
||||||
|
- "sha256(raw) == 'f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: passcv-ntscan-malware-hash
|
||||||
|
info:
|
||||||
|
name: PassCV Sabre Tool NTScan Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: PassCV Malware mentioned in Cylance Report
|
||||||
|
reference:
|
||||||
|
- https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar
|
||||||
|
tags: malware,passcv
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665'"
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: passcv-sabre-malware-hash
|
||||||
|
info:
|
||||||
|
name: PassCV Sabre Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
PassCV Malware mentioned in Cylance Report
|
||||||
|
reference:
|
||||||
|
- https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar
|
||||||
|
tags: malware,passcv
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'"
|
||||||
|
- "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'"
|
||||||
|
- "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'"
|
||||||
|
- "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'"
|
||||||
|
- "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'"
|
||||||
|
- "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'"
|
||||||
|
- "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'"
|
||||||
|
- "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'"
|
||||||
|
- "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: passcv-signingcert-malware-hash
|
||||||
|
info:
|
||||||
|
name: PassCV Sabre Malware Signing Cert Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
PassCV Malware mentioned in Cylance Report
|
||||||
|
reference:
|
||||||
|
- https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar
|
||||||
|
tags: malware,passcv
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e'"
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: petya-ransomware-hash
|
||||||
|
info:
|
||||||
|
name: Petya Ransomware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects Petya Ransomware.
|
||||||
|
reference:
|
||||||
|
- http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html
|
||||||
|
tags: ransomware,malware
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739'"
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: poseidongroup-maldoc-malware-hash
|
||||||
|
info:
|
||||||
|
name: Poseidon Group Malicious Word Document Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects Poseidon Group - Malicious Word Document
|
||||||
|
reference:
|
||||||
|
- https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Poseidon_Group.yar
|
||||||
|
tags: malware,poseidon
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- doc
|
||||||
|
- docx
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c'"
|
||||||
|
- "sha256(raw) == '1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af'"
|
||||||
|
- "sha256(raw) == 'f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a'"
|
||||||
|
- "sha256(raw) == 'ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed'"
|
||||||
|
- "sha256(raw) == '27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778'"
|
||||||
|
- "sha256(raw) == '1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216'"
|
||||||
|
- "sha256(raw) == '0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: poseidongroup-malware-hash
|
||||||
|
info:
|
||||||
|
name: Poseidon Group Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects Poseidon Group Malware
|
||||||
|
reference:
|
||||||
|
- https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Poseidon_Group.yar
|
||||||
|
tags: malware
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4'"
|
||||||
|
- "sha256(raw) == '344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3'"
|
||||||
|
- "sha256(raw) == '432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61'"
|
||||||
|
- "sha256(raw) == '8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47'"
|
||||||
|
- "sha256(raw) == 'd090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f'"
|
||||||
|
- "sha256(raw) == 'd7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb'"
|
||||||
|
- "sha256(raw) == 'ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: powerstar-malware-hash
|
||||||
|
info:
|
||||||
|
name: PowerStar Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects the batch script used to persist PowerStar via Startup.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2023/2023-06-28%20POWERSTAR/indicators/rules.yar
|
||||||
|
tags: malware,charmingkitten
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '9777f106ac62829cd3cfdbc156100fe892cfc4038f4c29a076e623dc40a60872'"
|
||||||
|
- "sha256(raw) == '977cf5cc1d0c61b7364edcf397e5c67d910fac628c6c9a41cf9c73b3720ce67f'"
|
||||||
|
- "sha256(raw) == 'b79d28fe5e3c988bb5aadb12ce442d53291dbb9ede0c7d9d64eec078beba5585'"
|
||||||
|
- "sha256(raw) == 'de99c4fa14d99af791826a170b57a70b8265fee61c6b6278d3fe0aad98e85460'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: purplewave-malware-hash
|
||||||
|
info:
|
||||||
|
name: PurpleWave v1.0 Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://twitter.com/3xp0rtblog/status/1289125217751781376
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PurpleWave.yar
|
||||||
|
tags: malware,apt,purplewave
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'"
|
||||||
|
- "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'"
|
||||||
|
- "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'"
|
||||||
|
- "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'"
|
||||||
|
- "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'"
|
||||||
|
- "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'"
|
||||||
|
- "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'"
|
||||||
|
- "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'"
|
||||||
|
- "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: red-leaves-malware-hash
|
||||||
|
info:
|
||||||
|
name: Red Leaves Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Red Leaves malware, related to APT10
|
||||||
|
reference:
|
||||||
|
- https://www.virustotal.com/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_RedLeaves.yar
|
||||||
|
tags: malware,apt,red-leaves
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c'"
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: regeorg-webshell-hash
|
||||||
|
info:
|
||||||
|
name: ReGeorg Webshell Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects the reGeorg webshells' JSP version.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
|
||||||
|
- https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp
|
||||||
|
tags: malware,webshells
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'f9b20324f4239a8c82042d8207e35776d6777b6305974964cd9ccc09d431b845'"
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: revil-ransomware-hash
|
||||||
|
info:
|
||||||
|
name: Revil Ransomware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description:
|
||||||
|
Detect Revil Ransomware.
|
||||||
|
reference:
|
||||||
|
- https://angle.ankura.com/post/102hcny/revix-linux-ransomware
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Revix.yar
|
||||||
|
tags: ransomware,malware
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5'"
|
||||||
|
- "sha256(raw) == '559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7'"
|
||||||
|
- "sha256(raw) == 'ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: rokrat-malware-hash
|
||||||
|
info:
|
||||||
|
name: ROKRAT Loader Malware Hash- Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Designed to catch loader observed used with ROKRAT malware
|
||||||
|
reference:
|
||||||
|
- https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_DPRK_ROKRAT.yar
|
||||||
|
tags: malware,taudprkapt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd'"
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: sauron-malware-hash
|
||||||
|
info:
|
||||||
|
name: Sauron Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects malware from Project Sauron APT
|
||||||
|
reference:
|
||||||
|
- https://goo.gl/eFoP4A
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sauron_extras.yar
|
||||||
|
tags: malware,apt,sauron
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9'"
|
||||||
|
- "sha256(raw) == '30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8'"
|
||||||
|
- "sha256(raw) == 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec'"
|
||||||
|
- "sha256(raw) == 'e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57'"
|
||||||
|
- "sha256(raw) == '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8'"
|
||||||
|
- "sha256(raw) == '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca'"
|
||||||
|
- "sha256(raw) == '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: seaduke-malware-hash
|
||||||
|
info:
|
||||||
|
name: SeaDuke Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference: |
|
||||||
|
http://goo.gl/MJ0c2M
|
||||||
|
https://github.com/Yara-Rules/rules/blob/master/malware/APT_Seaduke.yar
|
||||||
|
tags: malware,seaduke
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'd2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e'"
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: sfx1-malware-hash
|
||||||
|
info:
|
||||||
|
name: Malicious SFX1 Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: SFX with voicemail content
|
||||||
|
reference:
|
||||||
|
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Minidionis.yar
|
||||||
|
tags: malware,sfx1
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == 'c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f'"
|
||||||
|
- "sha256(raw) == '502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: sfxrar-acrotray-malware-hash
|
||||||
|
info:
|
||||||
|
name: SFXRAR Acrotray Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar
|
||||||
|
- https://www.f-secure.com/weblog/archives/00002822.html
|
||||||
|
tags: malware,apt,sfx
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'"
|
||||||
|
- "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'"
|
||||||
|
- "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: sharpext-malware-hash
|
||||||
|
info:
|
||||||
|
name: Sharpext Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: A malicious Chrome browser extension used by the SharpTongue threat actor to steal mail data from a victim.
|
||||||
|
reference:
|
||||||
|
- https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/yara.yar
|
||||||
|
tags: malware,sharptongue
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '1c9664513fe226beb53268b58b11dacc35b80a12c50c22b76382304badf4eb00'"
|
||||||
|
- "sha256(raw) == '6025c66c2eaae30c0349731beb8a95f8a5ba1180c5481e9a49d474f4e1bb76a4'"
|
||||||
|
- "sha256(raw) == '6594b75939bcdab4253172f0fa9066c8aee2fa4911bd5a03421aeb7edcd9c90c'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: sofacy-winexe-malware-hash
|
||||||
|
info:
|
||||||
|
name: Sofacy Group Winexe Tool Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Winexe tool used by Sofacy group in Bundestag APT.
|
||||||
|
reference: |
|
||||||
|
- http://dokumente.linksfraktion.de/inhalt/report-orig.pdf
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Bundestag.yar
|
||||||
|
tags: malware,sofacy
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- exe
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d'"
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: sofacy-bundestag-malware-hash
|
||||||
|
info:
|
||||||
|
name: Sofacy Group Malware - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Sofacy Malware - German Bundestag
|
||||||
|
reference: |
|
||||||
|
- http://dokumente.linksfraktion.de/inhalt/report-orig.pdf
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Bundestag.yar
|
||||||
|
tags: malware,sofacy
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092'"
|
||||||
|
- "sha256(raw) == '5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: sofacy-fybis-malware-hash
|
||||||
|
info:
|
||||||
|
name: Sofacy Fybis Linux Backdoor Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
reference: |
|
||||||
|
- http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Sofacy_Fysbis.yar
|
||||||
|
tags: malware,sofacy
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592'"
|
||||||
|
- "sha256(raw) == '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb'"
|
||||||
|
- "sha256(raw) == 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: tidepool-malware-hash
|
||||||
|
info:
|
||||||
|
name: TidePool Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks
|
||||||
|
reference:
|
||||||
|
- http://goo.gl/m2CXWR
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Ke3Chang_TidePool.yar
|
||||||
|
tags: malware,tidepool
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'"
|
||||||
|
- "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'"
|
||||||
|
- "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'"
|
||||||
|
- "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: turla-malware-hash
|
||||||
|
info:
|
||||||
|
name: Turla APT Malware - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: Detects Turla malware based on sample used in the RUAG APT case
|
||||||
|
reference: |
|
||||||
|
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
|
||||||
|
https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar
|
||||||
|
tags: malware,turla,apt,ruag
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'"
|
||||||
|
- "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'"
|
||||||
|
- "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'"
|
||||||
|
- "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'"
|
||||||
|
- "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'"
|
||||||
|
- "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'"
|
||||||
|
- "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'"
|
||||||
|
- "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'"
|
||||||
|
- "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'"
|
||||||
|
- "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: unit78020-malware-hash
|
||||||
|
info:
|
||||||
|
name: Unit 78020 Malware Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Detects malware by Chinese APT PLA Unit 78020 - Generic Rule
|
||||||
|
reference: |
|
||||||
|
http://threatconnect.com/camerashy/?utm_campaign=CameraShy
|
||||||
|
https://github.com/Yara-Rules/rules/blob/master/malware/APT_Unit78020.yar
|
||||||
|
tags: malware,unit78020
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72'"
|
||||||
|
- "sha256(raw) == '76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd'"
|
||||||
|
- "sha256(raw) == '2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac'"
|
||||||
|
- "sha256(raw) == '5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2'"
|
||||||
|
- "sha256(raw) == '7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af'"
|
||||||
|
- "sha256(raw) == '88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790'"
|
||||||
|
condition: or
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: wildneutron-malware-hash
|
||||||
|
info:
|
||||||
|
name: WildNeutron APT Sample Hash - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Wild Neutron APT Sample Rule based on file hash
|
||||||
|
reference: |
|
||||||
|
- https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
|
||||||
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_WildNeutron.yar
|
||||||
|
tags: malware,wildneutron,apt
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'"
|
||||||
|
- "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'"
|
||||||
|
- "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'"
|
||||||
|
- "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'"
|
||||||
|
- "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'"
|
||||||
|
- "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'"
|
||||||
|
- "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'"
|
||||||
|
- "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'"
|
||||||
|
- "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'"
|
||||||
|
- "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'"
|
||||||
|
- "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'"
|
||||||
|
condition: or
|
Loading…
Reference in New Issue