id: evilbamboo-malware-hash
info:
  name: EvilBamboo Malware Hash - Detect
  author: pussycat0x
  severity: info
  description: |
    Detection of the BADSOLAR and BADBAZAAR data collection files, which are shared by both malware families.
  reference:
    - https://github.com/volexity/threat-intel/blob/main/2023/2023-09-22%20EvilBamboo/indicators/rules.yar
    - https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
  tags: malware,evilbamboo

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'"
          - "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'"
          - "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'"
          - "sha256(raw) == 'f7132750db2a8ca8eb9e9e5a32377aa506395d02bacbb918f835041f5f035c4c'"
          - "sha256(raw) == 'daf3d2cb6f1bbb7c8d1cfb5fc0db23afc304a622ebb24aa940228be691bcda2b'"
          - "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'"
          - "sha256(raw) == '0fea799ce00c7d6f26ccb52a2ecbe6b9605cfb9910f2a309a841caedf3b102d7'"
          - "sha256(raw) == 'f0bf154d1e90491199b66ab95c1a4071669f3322c55f3643e36c20a9fb63eb56'"
          - "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'"
          - "sha256(raw) == '6aefc2b33e23f6e3c96de51d07f7123bd23ff951d67849a9bd32d446e76fb405'"
          - "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'"
          - "sha256(raw) == 'fa9154eaa3df4ff4464b21c45362fd1c7fb5e68108ab350c05f2ca9f60263988'"
          - "sha256(raw) == 'c5e8476fc6938a36438a433b48e80213e2251b1d4b20a9469912d628a86198b3'"
          - "sha256(raw) == '28560642fe99b3e611510f5559a12eb41112f3e2b3005432f7343cb79ff47a34'"
          - "sha256(raw) == '7995c382263f8dbbfc37a9d62392aef8b4f89357d436b3dd94dea842f9574ecf'"
          - "sha256(raw) == 'efea95720853e0cd2d9d4e93a64a726cfe17efea7b17af7c4ae6d3a6acae5b30'"
        condition: or
# digest: 4a0a0047304502206d8e6848dc4301823b8e130856dbe24d08992b76845f62f3714c1616a1132640022100b6f74f98ddbd5421cb7228f6f2a457ce927e5d388f36b2296286d137d7eb74ed:922c64590222798bb761d5b6d8e72950