id: passcv-sabre-malware-hash
info:
  name: PassCV Sabre Malware Hash - Detect
  author: pussycat0x
  severity: info
  description: |
    PassCV Malware mentioned in Cylance Report
  reference:
    - https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Passcv.yar
  tags: malware,passcv

file:
  - extensions:
      - all

  matchers:
    - type: dsl
      dsl:
        - "sha256(raw) == '24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a'"
        - "sha256(raw) == 'e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55'"
        - "sha256(raw) == '475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4'"
        - "sha256(raw) == '009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78'"
        - "sha256(raw) == '92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b'"
        - "sha256(raw) == '0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2'"
        - "sha256(raw) == '28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1'"
        - "sha256(raw) == '27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f'"
        - "sha256(raw) == '03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5'"
      condition: or