Below are some HDB signatures for the Cobalt Strike Russian wiper now targeting Ukranian systems.

Copy the signature(s) to a new Notepad or similar text writer file, and save it in the ClamWin database folder as a file named Sigfile.hdb with a file type of “All Files”. Do not save it as text file. The file name saved should be Sigfile.hdb and nothing else. The date and time are the last two items in the signature.

For multiple signatures, put each signature on a separate line in a Notepad file. You can add multiple signatures to the top of an existing HDB signature file (just add one blank line and paste there—any additional lines needed will be added). Adding signatures to the bottom of an existing signature file always gives me a ClamWin scanning error. Delete any blank lines between signatures in the signature file after pasting and before saving.

After you save the signature file in the ClamWin database folder, scan something with ClamWin to make sure the signature(s) work. If you get a scan error, delete the signature file from the database folder or delete only the signatures that you just posted to an existing HDB file and re-save it. Leave no blank lines in the saved sigfile.hdb file.

Delete signatures after they are 4 weeks old, as the viruses will probably be updated by then.

fbe79895053b29ec2cfe99cad3eb83d5:179507:RTF.CobaltStrike-033022.1407
29fe7a619970157adfcecfade1b204be:377863:RTF.CobaltStrike-033022.1412
341610a5a0cc430f99f9f9bd694b04a9:1563136:Doc.CobaltStrike-033022.1415
4d499b6d7b4106c52e650607cd9e25e7:43077:Script.CobaltStrike-033022.1417

Regards,