nuclei-templates/file/malware/hash/codoso-malware-hash.yaml

id: codoso-malware-hash
info:
  name: Codoso APT Malware Hash - Detect
  author: pussycat0x
  severity: info
  description: |
    Detects Codoso APT Malware.    
  reference:
    - https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Codoso.yar
  tags: malware,apt,codoso

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == 'ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0'"
          - "sha256(raw) == '130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8'"
          - "sha256(raw) == '3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa'"
          - "sha256(raw) == '02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13'"
          - "sha256(raw) == 'd66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090'"
          - "sha256(raw) == '3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3'"
        condition: or
# digest: 4a0a004730450220308710bed21d5eb52e56a7561d04353c42bffe6291b6b826b50da6777de368310221009e0df4a7212395c0c75578001769a2240a27bab1c047e00858df537c057988cc:922c64590222798bb761d5b6d8e72950