[clamav-users] Determine if ClamAV is looking for a specific piece of ransomware (Linux)

Mon, 04 Nov 2019 14:48:30 -0800 

Greetings.

I’m somewhat new to the ClamAV world, so my apologies up front.

I’m attempting to determine if a specific ransomware, Friedex.d, a variant of 
Iencrypt, is being scanned for with the current definitions.
I came across an article that basically said to dump the database and search 
for the name.  So I did,

                # mkdir signatures
                # cd signatures
                # sigtool –unpack=/var/lib/clamav/main.cvd
                # grep -i “ransom.win32.friedex.d” *
                # grep -i “efc3418eb170c6bf503140cff504eec8” *                  
               ## MD5 hash of the Ransomware
                # grep -i “be30850f25e01c84f218022199791911ce64b580” *          
 ## SHA1 hash

No results from any of those greps.  My immediate thought is that it’s not in 
the definition files.  But then I can’t find anywhere on the website to submit 
data for a known piece of ransomware that ClamAV does not appear to have 
defined.  Here’s the data that I have:

Threat Type
Targeted Ransomware
Virus Name
Ransom.Win32.FRIEDEX.D Variant of Iencrypt
Hash
MD5: efc3418eb170c6bf503140cff504eec8  SHA1: 
be30850f25e01c84f218022199791911ce64b580
IP Point of Origin
Empire C2: 185.92.74.215 Brute Force: 185.92.74.133
Other tools
Mimikatz PowerShell Empire PS-EXEC
Virus Details
SIZE: 135,168  FILE TYPE: EXE  MEMORY RESIDENT: Yes  ENCRYPTED: Yes

Perhaps I just am not looking correctly, or I’m not looking in the right place? 
 Or maybe I’m just going about this hunt in the wrong way!

Thank you in advance!

Scott
The information contained in this transmission may be confidential. Any 
disclosure, copying, or further distribution of confidential information is not 
permitted unless such privilege is explicitly granted in writing by Quantum. 
Quantum reserves the right to have electronic communications, including email 
and attachments, sent across its networks filtered through security software 
programs and retain such messages in order to comply with applicable data 
security and retention requirements. Quantum is not responsible for the proper 
and complete transmission of the substance of this communication or for any 
delay in its receipt.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to