Greetings.
I’m somewhat new to the ClamAV world, so my apologies up front.
I’m attempting to determine if a specific ransomware, Friedex.d, a variant of Iencrypt, is being scanned for with the current definitions.
I came across an article that basically said to dump the database and search for the name. So I did,
# mkdir signatures
# cd signatures
# sigtool –unpack=/var/lib/clamav/main.cvd
# grep -i “ransom.win32.friedex.d” *
# grep -i “efc3418eb170c6bf503140cff504eec8” * ## MD5 hash of the Ransomware
# grep -i “be30850f25e01c84f218022199791911ce64b580” * ## SHA1 hash
No results from any of those greps. My immediate thought is that it’s not in the definition files. But then I can’t find anywhere on the website to submit data for a known piece of ransomware that ClamAV does not appear to have defined. Here’s the data that I have:
Threat Type
Targeted Ransomware
Virus Name
Ransom.Win32.FRIEDEX.D Variant of Iencrypt
Hash
MD5: efc3418eb170c6bf503140cff504eec8 SHA1: be30850f25e01c84f218022199791911ce64b580
IP Point of Origin
Empire C2: 185.92.74.215 Brute Force: 185.92.74.133
Other tools
Mimikatz PowerShell Empire PS-EXEC
Virus Details
SIZE: 135,168 FILE TYPE: EXE MEMORY RESIDENT: Yes ENCRYPTED: Yes
Perhaps I just am not looking correctly, or I’m not looking in the right place? Or maybe I’m just going about this hunt in the wrong way!
Thank you in advance!
Scott
The information contained in this transmission may be confidential. Any disclosure, copying, or further distribution of confidential information is not permitted unless such privilege is explicitly granted in writing by Quantum. Quantum reserves the right to have electronic communications, including email and attachments, sent across its networks filtered through security software programs and retain such messages in order to comply with applicable data security and retention requirements. Quantum is not responsible for the proper and complete transmission of the substance of this communication or for any delay in its receipt.
I’m somewhat new to the ClamAV world, so my apologies up front.
I’m attempting to determine if a specific ransomware, Friedex.d, a variant of Iencrypt, is being scanned for with the current definitions.
I came across an article that basically said to dump the database and search for the name. So I did,
# mkdir signatures
# cd signatures
# sigtool –unpack=/var/lib/clamav/main.cvd
# grep -i “ransom.win32.friedex.d” *
# grep -i “efc3418eb170c6bf503140cff504eec8” * ## MD5 hash of the Ransomware
# grep -i “be30850f25e01c84f218022199791911ce64b580” * ## SHA1 hash
No results from any of those greps. My immediate thought is that it’s not in the definition files. But then I can’t find anywhere on the website to submit data for a known piece of ransomware that ClamAV does not appear to have defined. Here’s the data that I have:
Threat Type
Targeted Ransomware
Virus Name
Ransom.Win32.FRIEDEX.D Variant of Iencrypt
Hash
MD5: efc3418eb170c6bf503140cff504eec8 SHA1: be30850f25e01c84f218022199791911ce64b580
IP Point of Origin
Empire C2: 185.92.74.215 Brute Force: 185.92.74.133
Other tools
Mimikatz PowerShell Empire PS-EXEC
Virus Details
SIZE: 135,168 FILE TYPE: EXE MEMORY RESIDENT: Yes ENCRYPTED: Yes
Perhaps I just am not looking correctly, or I’m not looking in the right place? Or maybe I’m just going about this hunt in the wrong way!
Thank you in advance!
Scott
The information contained in this transmission may be confidential. Any disclosure, copying, or further distribution of confidential information is not permitted unless such privilege is explicitly granted in writing by Quantum. Quantum reserves the right to have electronic communications, including email and attachments, sent across its networks filtered through security software programs and retain such messages in order to comply with applicable data security and retention requirements. Quantum is not responsible for the proper and complete transmission of the substance of this communication or for any delay in its receipt.