ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Russian Cobalt Strike Malware Sigs For Ukraine
GuitarBob


Joined: 09 Jul 2006
Posts: 4889
Location: USA
Reply with quote
Copy mdb signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.mdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.mdb and nothing else.

Copy hdb signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.hdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.hdb and nothing else.

For multiple signatures, put each signature on a separate line in a Notepad or similar file. Put mdb and hdb signatures in separate files. You can add multiple signatures to the top of an existing mdb or hdb signature file. Copy the signatures, add one blank line to the top of the file and paste the signatures there—any additional lines needed will be added. Do not add signatures to the bottom of existing hdb and mdb signature files or you will get a ClamWin scanning error. Delete any blank lines between signatures in a file before saving the file.

After you save a signature file (.hdb, .mdb or .yar) in the ClamWin database folder, scan a file with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only those signatures that you just posted to an existing mdb or hdb file and re-save it after first removing any blank lines in the signature file. For multiple signature files, run a scan after you save each file to help you locate a file that could cause a scan error.

After 4 weeks, the malware will probably be updated, so you can delete mdb and hdb signatures then. The date (USA) and time (24 hr) are the last two items in each mdb and hdb signature. Yara signatures can be kept permanently if they are not for a specific malware—keep those for two or three months.

Thanks to Bleeping Computer!

HDB Signatures
2f712cdae87cdb7ccc0f4046ffa3281d:2792851:Win.Trojan.Agent-092022.1234
4ae0b6be7f38e2eb84b881abf5110edc:2804339:Win.Trojan.Agent-092022.1237
da1787c54896a926b4893de19fd2554c:1584:Win.Trojan.LNK-092022.1255
c23f1af6d1724324f866fe68634396f9:1580:Win.Trojan.LNK-092022.1258


MDB Signatures
34304:54a0f7363fe528e5bbfc83524ff7f6a2:Win.Trojan.Agent-092022.1238
91136:1e9d5b2022f230e26722b1445595538e:Win.Trojan.Agent-092022.1240
572928:4e269cfb34ee7f9e92f14154f32aa49a:Win.Trojan.CobaltStrike-092022.1251
174592:909f6d9692ae1c68484bc3a48bf095c9:Win.Trojan.Agent-092022.1257

Regards,
View user's profileSend private message
Russian Cobalt Strike Malware Sigs For Ukraine
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic