id: bluelight-malware-hash
info:
  name: bluelight Malware Hash - Detect
  author: pussycat0x
  severity: info
  description: North Korean origin malware which uses a custom Google App for C2 communications.
  reference:
    - https://github.com/volexity/threat-intel/blob/main/2021/2021-08-17%20-%20InkySquid%20Part%201/indicators/yara.yar
  tags: malware,inkysquid

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed'"
          - "sha256(raw) == '7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d'"
          - "sha256(raw) == '94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a'"
        condition: or
# digest: 4b0a00483046022100bee4e8268cf26453045145f505f3aa37568f85c67d982701b3d3c06b750a3dc4022100adbefd57c061ddfe5ab00a929baa9e8eecf250eac26791bf3d0e80bf58544170:922c64590222798bb761d5b6d8e72950