32 lines
1.7 KiB
YAML
32 lines
1.7 KiB
YAML
id: wildneutron-malware-hash
|
|
info:
|
|
name: WildNeutron APT Sample Hash - Detect
|
|
author: pussycat0x
|
|
severity: info
|
|
description: |
|
|
Wild Neutron APT Sample Rule based on file hash
|
|
reference: |
|
|
- https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
|
|
- https://github.com/Yara-Rules/rules/blob/master/malware/APT_WildNeutron.yar
|
|
tags: malware,wildneutron,apt
|
|
|
|
file:
|
|
- extensions:
|
|
- all
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "sha256(raw) == '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94'"
|
|
- "sha256(raw) == 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0'"
|
|
- "sha256(raw) == 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45'"
|
|
- "sha256(raw) == '1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206'"
|
|
- "sha256(raw) == '4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865'"
|
|
- "sha256(raw) == 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c'"
|
|
- "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'"
|
|
- "sha256(raw) == '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e'"
|
|
- "sha256(raw) == '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9'"
|
|
- "sha256(raw) == '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92'"
|
|
- "sha256(raw) == '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a'"
|
|
condition: or
|
|
# digest: 490a004630440220086e06317df4bddc8a0d06db3e3d425ce85e8d8b171fdb6c9fd57b727f426eb8022020c41ddbc32b5418dae8ddd213da4b5e5699812fb90290e95cd62fb3f7224173:922c64590222798bb761d5b6d8e72950 |