nuclei-templates/file/malware/hash/ico-malware-hash.yaml

id: ico-malware-hash
info:
  name: ICO Malware Hash - Detect
  author: pussycat0x
  severity: info
  description: Detection of malicious ICO files used in 3CX compromise
  reference:
    - https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/indicators/rules.yar
  tags: malware,uta0040

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == 'a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c'"
          - "sha256(raw) == 'a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67'"
          - "sha256(raw) == '8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423'"
          - "sha256(raw) == 'f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952'"
          - "sha256(raw) == '7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896'"
          - "sha256(raw) == 'aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868'"
        condition: or
# digest: 4a0a0047304502210080d59fa91d32936cfa59f88492591cf309cfe06721ee5455cf7a3d3d2659f7be022045f58959e4c91fa9a13f740e85981ffc1446d47d186a076d56a1d9333bc0a053:922c64590222798bb761d5b6d8e72950