id: sfxrar-acrotray-malware-hash
info:
  name: SFXRAR Acrotray Malware Hash - Detect
  author: pussycat0x
  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar
    - https://www.f-secure.com/weblog/archives/00002822.html
  tags: malware,apt,sfx

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57'"
          - "sha256(raw) == '5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48'"
          - "sha256(raw) == '56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198'"
        condition: or
# digest: 4b0a00483046022100c6c00d587c785d24265f7e10ab085570073dd32002bd3e0ffad8a63068abf9a9022100d5c1fde8a605a53dc23a8f5c1c77d481a575ab9e3560d00883d94eca3eb1b3ab:922c64590222798bb761d5b6d8e72950