ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
New Signatures For Cobalt Strike Malware For Ukraine
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
Below are HDB and MDB signatures for a Russian infostealer virus targeting Ukraine. The malware file is distributed via a .docx or .rtf office document file. The malware steals information that is in browsers--passwords, history, favorites, etc.

Copy mdb signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.mdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.mdb and nothing else. You can add signatures to an existing mdb file.

Copy hdb signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.hdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.hdb and nothing else. You can add signatures to an existing hdb file.

After you save a signature file (.hdb, .mdb or .yar) in the ClamWin database folder, scan a file with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only those signatures that you just posted to an existing mdb or hdb file and re-save it after first removing any blank lines in the signature file. Run a scan after you re-save a file to verify there are no errors.

After 4 weeks, the malware will probably be updated, so you can delete mdb and hdb signatures then. The date (USA) and time (24 hr) are the last two items in each mdb and hdb signature. Yara signatures can be kept permanently if they are not for a specific malware—keep specific malware files for two or three months.

Thanks to Ukraine CERT!

HDB Signatures
37c7b934661f31e526ffb31f7c935d5a:11095:Win.Trojan.CobaltStrike-062222.1228

MDB Signatures
2010112:8fda8c0748f59b1a2c79afa4aba19c2d:Win.Trojan.CobaltStrike-062222.1228

Regards,
View user's profileSend private message
New Signatures For Cobalt Strike Malware For Ukraine
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic