id: codoso-malware-hash info: name: Codoso APT Malware Hash - Detect author: pussycat0x severity: info description: | Detects Codoso APT Malware. reference: - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar tags: malware,apt,codoso file: - extensions: - all matchers: - type: dsl dsl: - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'" - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'" - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'" - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'" - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'" - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'" condition: or # digest: 4a0a004730450220308710bed21d5eb52e56a7561d04353c42bffe6291b6b826b50da6777de368310221009e0df4a7212395c0c75578001769a2240a27bab1c047e00858df537c057988cc:922c64590222798bb761d5b6d8e72950