34 lines
2.0 KiB
YAML
34 lines
2.0 KiB
YAML
id: cloudduke-malware-hash
|
|
info:
|
|
name: CloudDuke Malware Hash - Detect
|
|
author: pussycat0x
|
|
severity: info
|
|
reference:
|
|
- https://www.f-secure.com/weblog/archives/00002822.html
|
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_Cloudduke.yar
|
|
tags: malware,apt
|
|
|
|
file:
|
|
- extensions:
|
|
- all
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
|
|
- "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
|
|
- "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'"
|
|
- "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
|
|
- "sha256(raw) == '1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7'"
|
|
- "sha256(raw) == '88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f'"
|
|
- "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'"
|
|
- "sha256(raw) == '97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7'"
|
|
- "sha256(raw) == 'ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46'"
|
|
- "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
|
|
- "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
|
|
- "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'"
|
|
- "sha256(raw) == 'ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145'"
|
|
- "sha256(raw) == 'a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004'"
|
|
- "sha256(raw) == '56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e'"
|
|
condition: or
|
|
# digest: 490a0046304402202a89b12c811db5885bcfc2b2d2e4ddeef1a3d4a6735b7e737e1fd34a2975c12b0220157129a18a197afbb9e1d6e91cdd45657c79f22ed4fd9881ffae2aa061b96175:922c64590222798bb761d5b6d8e72950 |