id: blackenergy-driver-amdide-hash info: name: Blackenergy-Driver Amdide Hash - Detect author: pussycat0x severity: info description: | Detects the AMDIDE driver from BlackEnergy malware reference: - http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ tags: malware,blackenergy file: - extensions: - all matchers: - type: dsl dsl: - "sha256(raw) == '32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614'" - "sha256(raw) == '3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2'" - "sha256(raw) == '90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c'" - "sha256(raw) == '97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1'" - "sha256(raw) == '5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc'" - "sha256(raw) == 'cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988'" - "sha256(raw) == '1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68'" condition: or # digest: 4b0a004830460221009e755cb9b884c78a81ebf3c11bdecc13822a87e81b7f2aadb0386c4b3d0505f3022100c44721811a65d9293b7a5cec15ad9a83ba3180b5c373c7b508cf35c6679994e0:922c64590222798bb761d5b6d8e72950