nuclei-templates/file/malware/hash/turla-malware-hash.yaml

id: turla-malware-hash
info:
  name: Turla APT Malware - Detect
  author: pussycat0x
  severity: info
  description: Detects Turla malware based on sample used in the RUAG APT case
  reference: |
    https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
    https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar    
  tags: malware,turla,apt,ruag

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4'"
          - "sha256(raw) == '7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9'"
          - "sha256(raw) == 'fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd'"
          - "sha256(raw) == 'c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4'"
          - "sha256(raw) == 'b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4'"
          - "sha256(raw) == 'edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348'"
          - "sha256(raw) == '8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a'"
          - "sha256(raw) == '8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98'"
          - "sha256(raw) == '0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f'"
          - "sha256(raw) == '2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2'"
        condition: or
# digest: 490a0046304402202a529af4e2c672912e07f47775f1a5faf0eeddaef1d1cd5f358e5870e6a47e1a02207b628b9451d23034e702188e2448407d52e61d6dd0479a15ab4a2439036ba509:922c64590222798bb761d5b6d8e72950