Mailing List Archive

* Andrew Salway via clamav-users <clamav-users@lists.clamav.net>:

> I’ve used “sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" to see its
> signature which I understand comprises some subsignatures, but I’ve
> not been able to find out details of what triggers this detection.

# sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" | sigtool --decode

VIRUS NAME: Vbs.Trojan.AsyncRAT-9889434-1
TDB: Engine:90-255,FileSize:0-2097152,Target:7

LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
urldecode

* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
msbuild.exe

* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.xml

So it must be 0 AND 1 and 2.

0 is urldecode ANYWHERE
1 is msbuild.exe ANYWHERE
2 is .xml ANYWHERE

> By any chance is ClamAV using this yara rule https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Asyncrat.yar ?

Nope.

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Many thanks Ralf for the speedy reply.

Is it then triggered if the three strings (urldecode, msbuild.exe, .xml) are all present anywhere in a normalised ASCII file?


From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net>
Date: Wednesday, 17 May 2023 at 09:51
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>
Subject: Re: [clamav-users] Vbs.Trojan.AsyncRAT-9889434-1
CAUTION: This email originated from outside of CYSIAM. Do not click on any links or attachments unless you trust the sender and know the content to be safe.

* Andrew Salway via clamav-users <clamav-users@lists.clamav.net>:

> I’ve used “sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" to see its
> signature which I understand comprises some subsignatures, but I’ve
> not been able to find out details of what triggers this detection.

# sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" | sigtool --decode

VIRUS NAME: Vbs.Trojan.AsyncRAT-9889434-1
TDB: Engine:90-255,FileSize:0-2097152,Target:7

LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
urldecode

* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
msbuild.exe

* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.xml

So it must be 0 AND 1 and 2.

0 is urldecode ANYWHERE
1 is msbuild.exe ANYWHERE
2 is .xml ANYWHERE

> By any chance is ClamAV using this yara rule https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Asyncrat.yar<https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Asyncrat.yar> ?

Nope.

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de<https://www.charite.de>
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users<https://lists.clamav.net/mailman/listinfo/clamav-users>


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation<https://github.com/Cisco-Talos/clamav-documentation>

https://docs.clamav.net/#mailing-lists-and-chat<https://docs.clamav.net/#mailing-lists-and-chat>

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast, a leader in email security and cyber resilience. Mimecast integrates email defenses with brand protection, security awareness training, web security, compliance and other essential capabilities. Mimecast helps protect large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world. To find out more, visit our website.

Hello Andrew,

Please ensure you're using the latest CVDs. Vbs.Trojan.AsyncRAT-9889434-2
was recently published to address some FPs encountered from revision 1 of
the signature.

On Wed, May 17, 2023 at 4:42?AM Andrew Salway via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hello
>
>
>
> I am trying to understand why Splunk Cloud (which uses ClamAV) is giving a
> false positive result on an app I am developing, specifically “
> Vbs.Trojan.AsyncRAT-9889434-1”.
>
>
>
> I’ve used “sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" to see its
> signature which I understand comprises some subsignatures, but I’ve not
> been able to find out details of what triggers this detection.
>
>
>
> By any chance is ClamAV using this yara rule
> https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Asyncrat.yar
> ?
>
>
>
> Thanks in advance for any answers or pointers.
>
>
>
>
> *Disclaimer*
>
> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
>
> This email has been scanned for viruses and malware, and may have been
> automatically archived by Mimecast, a leader in email security and cyber
> resilience. Mimecast integrates email defenses with brand protection,
> security awareness training, web security, compliance and other essential
> capabilities. Mimecast helps protect large and small organizations from
> malicious activity, human error and technology failure; and to lead the
> movement toward building a more resilient world. To find out more, visit
> our website.
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975