id: wildneutron-malware-hash info: name: WildNeutron APT Sample Hash - Detect author: pussycat0x severity: info description: | Wild Neutron APT Sample Rule based on file hash reference: | - https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ - https://github.com/Yara-Rules/rules/blob/master/malware/APT_WildNeutron.yar tags: malware,wildneutron,apt file: - extensions: - all matchers: - type: dsl dsl: - "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'" - "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'" - "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'" - "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'" - "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'" - "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'" - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" - "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'" - "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'" - "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'" - "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'" condition: or # digest: 490a004630440220086e06317df4bddc8a0d06db3e3d425ce85e8d8b171fdb6c9fd57b727f426eb8022020c41ddbc32b5418dae8ddd213da4b5e5699812fb90290e95cd62fb3f7224173:922c64590222798bb761d5b6d8e72950