id: tidepool-malware-hash
info:
  name: TidePool Malware Hash - Detect
  author: pussycat0x
  severity: info
  description: |
    Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks
  reference:
    - http://goo.gl/m2CXWR
    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Ke3Chang_TidePool.yar
  tags: malware,tidepool

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba'"
          - "sha256(raw) == '67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed'"
          - "sha256(raw) == '2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18'"
          - "sha256(raw) == '38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f'"
        condition: or
# digest: 4b0a00483046022100c8f11fadc36b3416cc0ef3a9befdd2ac335f070d9efaa19aa84c4d8f966268a7022100b692fc6cdee671850192ca8759d3beb03771d1b6d19dfa95819808359bf0521f:922c64590222798bb761d5b6d8e72950