MalwareBazaar: Malicious attachment hash in archive (trusted reporters)

calendar Dec 20, 2023  ยท
Share on: linkedin copy

Detects if an arhive attachments contains a file that matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from unknown senders.

Sublime rule (View on GitHub)

 1name: "MalwareBazaar: Malicious attachment hash in archive (trusted reporters)"
 2description: "Detects if an arhive attachments contains a file that matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from unknown senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_extension in~ $file_extensions_common_archives
 9          and any(file.explode(.),
10                  .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
11          )
12  )
13  and (
14    not profile.by_sender().solicited
15    or (
16      profile.by_sender().any_messages_malicious_or_spam
17      and not profile.by_sender().any_false_positives
18    )
19  )
20  and not profile.by_sender().any_false_positives
21    
22
23attack_types:
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Evasion"
27detection_methods:
28  - "Archive analysis"
29  - "File analysis"
30  - "Sender analysis"
31  - "Threat intelligence"
32id: "9d734281-3111-5bed-a192-9ae0e1ad6b9d"
to-top