nuclei-templates/file/malware/hash/backwash-malware-hash.yaml

id: backwash-malware-hash
info:
  name: Backwash Malware Hash - Detect
  author: pussycat0x
  severity: info
  description: |
    CPP loader for the Backwash malware.    
  reference:
    - https://github.com/volexity/threat-intel/blob/main/2021/2021-12-06%20-%20XEGroup/indicators/yara.yar
    - https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/
  tags: malware,xegroup

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '0cf93de64aa4dba6cec99aa5989fc9c5049bc46ca5f3cb327b49d62f3646a852'"
          - "sha256(raw) == '21683e02e11c166d0cf616ff9a1a4405598db7f4adfc87b205082ae94f83c742'"
          - "sha256(raw) == '6f44a9c13459533a1f3e0b0e698820611a18113c851f763797090b8be64fd9d5'"
          - "sha256(raw) == '92f9593cfa0a28951cae36755d54de63631377f1b954a4cb0474fa0b6193c537'"
          - "sha256(raw) == '815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f'"
          - "sha256(raw) == '72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911'"
          - "sha256(raw) == '4d913ecb91bf32fd828d2153342f5462ae6b84c1a5f256107efc88747f7ba16c'"
          - "sha256(raw) == '98e39573a3d355d7fdf3439d9418fdbf4e42c2e03051b5313d5c84f3df485627'"
        condition: or
# digest: 4b0a00483046022100ae727b6d00154914ae43b7d0570a5e4abee33341a6b5786be48fe2bb027d8408022100d0ef741360e46aded1e0d7609864fb6d12c154d343233251799bc896550476e8:922c64590222798bb761d5b6d8e72950