id: purplewave-malware-hash info: name: PurpleWave v1.0 Malware Hash - Detect author: pussycat0x severity: info reference: - https://twitter.com/3xp0rtblog/status/1289125217751781376 - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PurpleWave.yar tags: malware,apt,purplewave file: - extensions: - all matchers: - type: dsl dsl: - "sha256(raw) == '7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df'" - "sha256(raw) == '76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304'" - "sha256(raw) == '832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd'" - "sha256(raw) == '917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9'" - "sha256(raw) == 'a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16'" - "sha256(raw) == 'd5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161'" - "sha256(raw) == 'd820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9'" - "sha256(raw) == 'd4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554'" - "sha256(raw) == '4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d'" condition: or # digest: 490a004630440220697b99b706d2c5ba4e36e75d5cf9bc86654026c6b0ab367ed181f996e5b5a58e02202019b64c704f7e41def665c872f5523cf264b9ec55374ff62128cabad12eb9d3:922c64590222798bb761d5b6d8e72950