Below are HDB and MDB signatures for a Russian infostealer virus targeting Ukraine. The malware file is distributed via a .docx or .rtf office document file. The malware steals information that is in browsers--passwords, history, favorites, etc.

Copy mdb signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.mdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.mdb and nothing else. You can add signatures to an existing mdb file.

Copy hdb signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.hdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.hdb and nothing else. You can add signatures to an existing hdb file.

After you save a signature file (.hdb, .mdb or .yar) in the ClamWin database folder, scan a file with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only those signatures that you just posted to an existing mdb or hdb file and re-save it after first removing any blank lines in the signature file. Run a scan after you re-save a file to verify there are no errors.

After 4 weeks, the malware will probably be updated, so you can delete mdb and hdb signatures then. The date (USA) and time (24 hr) are the last two items in each mdb and hdb signature. Yara signatures can be kept permanently if they are not for a specific malware—keep specific malware files for two or three months.

Thanks to Ukraine CERT!

HDB Signatures
37c7b934661f31e526ffb31f7c935d5a:11095:Win.Trojan.CobaltStrike-062222.1228

MDB Signatures
2010112:8fda8c0748f59b1a2c79afa4aba19c2d:Win.Trojan.CobaltStrike-062222.1228

Regards,