MalwareBazaar: Malicious attachment hash (trusted reporters)

Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from first-time senders.

Sublime rule (View on GitHub)

 1name: "MalwareBazaar: Malicious attachment hash (trusted reporters)"
 2description: "Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from first-time senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments, .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters)
 8  and (
 9    profile.by_sender().prevalence in ("new", "outlier")
10    or (
11      profile.by_sender().any_messages_malicious_or_spam
12      and not profile.by_sender().any_false_positives
13    )
14  )  
15tags:
16  - "Abusech: MalwareBazaar"
17attack_types:
18  - "Malware/Ransomware"
19detection_methods:
20  - "File analysis"
21  - "Sender analysis"
22  - "Threat intelligence"
23id: "5b5c9c3e-92c2-56cd-ad0d-1a2e195fa2b4"
to-top