id: turla-malware-hash info: name: Turla APT Malware - Detect author: pussycat0x severity: info description: Detects Turla malware based on sample used in the RUAG APT case reference: | https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar tags: malware,turla,apt,ruag file: - extensions: - all matchers: - type: dsl dsl: - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'" - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'" - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'" - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'" - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'" - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'" - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'" - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'" - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'" - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'" condition: or # digest: 490a0046304402202a529af4e2c672912e07f47775f1a5faf0eeddaef1d1cd5f358e5870e6a47e1a02207b628b9451d23034e702188e2448407d52e61d6dd0479a15ab4a2439036ba509:922c64590222798bb761d5b6d8e72950