Hello,

This is to bring to your kind attention that the below IoCs signature hash code has not been detected in the Clamwin AV engine to protect the latest cyber threat. Would like to request you to check the hash code and guide us on how to incorporate this in our system installed antivirus engine to make our system protected with more security.

The Hash code is –
1. DB5A204A34969F60FE4A653F51D64EEE024DBF018EDEA334E8B3DF780EDA846F

This hash has not been seen by Virus Total. If it has, you can enter the hash, search, detail, use the information at the top of the detail for hash and file size.

I will give you more/detailed instructions later when I have time, but here is some quick help to prepare your own HDB signature, which may last for a month.

This is going to be a HDB signature, which is a signature for the entire file. You have the hash, so get the file size in KB. That is all you need to make an HDB sig. Below is an HDB hash signature. I like to use MD5 hashes, but I believe Clam AV can work with some other types. To be sure though, use MD5.


Hash:Size:FileType.VirusType.VirusName-Date.Time

Example: 0dc402a72f0a963d5ab34f2981ad75ef:148959:Office.Trojan.Squiblydoo-021022.1513

You know the hash and size. Use small letters in the hash, not capital letters.
File Type is usually Windows, Office, ELF (Linux). Use Windows for everything if you want--ClamWin is a Windows AV.
Virus Type is usually Trojan, but it could be RAT (remote access trojan), Backdoor, Infostealer, Banker--if you know what it does. Trojan covers everything.
Name can be whatever you want. If Virus Total knows the hash, I use names from a big AV--Eset, Bit Defender, Kaspersky, Etc. Pick one.
Next is the date--I use American Month Day Year
Last is the time you prepare the signature based on a 24 hour clock. This will help to identify viruses--no two will have the same time.

Copy the signature(s) to a new Notepad or similar text writer file, and save the file in the ClamWin database folder as a file named Sigfile.hdb with a file type of “All Files”. Make sure the system does not name it with a .txt or .text extension on the end of the file name. ClamWin will give you an error upon scanning files so named.

After you save the signature file, scan a file somewhere with ClamWin to make sure the signature(s) work. Delete this signature file from the database folder if you get a scan error. You can add signatures to the top of an existing HDB signature file (just add one blank line and copy/paste the signatures there—any lines needed will be added if there is more than one signature line. Delete any blank lines between signatures. If you add to the bottom of an existing signature file, you will get a scanning error.

Delete signatures after they are a month old because they will usually be updated by then.

Good luck! Feel free to ask questions.

Regards,

Most Windows files are PE files. MDB signatures are for a section of a Windows PE file. You need Virus Total information or a file analysis tool in order to prepare a MDB file. The advantage of a MDB signature is that it is for a section of a Windows PE file, and the section may be reused in other malware. I have always used the free FileAlyzer tool, an old but good free analyzer from Safer working Ltd. You can learn it from the documentation that comes with it. Another good PE analysis tool is the free PEview, maintained by Wayne but it may not work on 64 bit files—only 32 bit.

The easiest way to analyze PE files, however, is to use Virus Total. Upload the malware file or file hash to Virus Total, using File or Search. If Virus Total has seen the file or hash, it will tell you what many Avs name the virus in the file. Select Detail to see what Virus Total knows about the file. Go down to the PE part to see the sections in the file, size of each section, and the section hash. If you pick the text section of a PE file, you can’t go wrong, but I usually pick the section that has the most entropy (malware has lots of entropy—maximum entropy is 8.0). Entropy is a measurement of file randomness. Good files are not random, but malware has lots of randomness. Use the section hash and RAW File Size of the section you are going to sig. The PE section hash and the RAW file size in KB is all you need to make an MDB sig.

Below is an MDB hash signature. I like to use MD5 hashes, but I believe Clam AV can work with some other types. To be sure though, use MD5.

FileSize:Hash:FileType.VirusType.VirusName-Date.Time

Example: 7680:46e556bc4991ca2f8feba41dc4a95df2:Win.Backdoor.Antlion-030322.1509

Use small letters in the hash, not capital letters.
File Type is usually Windows, Office, ELF (Linux). Use Windows for everything if you want--ClamWin is a Windows AV.
Virus Type is usually Trojan, but it could be RAT (remote access trojan), Backdoor, Infostealer, Banker--if you know what it does. Trojan covers everything.
Name can be whatever you want. If Virus Total knows the hash, I use names from a big AV--Eset, Bit Defender, Kaspersky, etc. Pick one.
Next is the date--I use American Month Day Year
Last is the time you prepare the signature based on a 24 hour clock. This will help to identify viruses--no two will be signatured at same time.

Copy the signature(s) to a new Notepad or similar text writer file, and save the file in the ClamWin database folder as a file named Sigfile.mdb with a file type of “All Files”. Make sure the system does not name it with a .txt or .text extension on the end of the file name. ClamWin will give you an error upon scanning files so named.

After you save the signature file, scan a file somewhere with ClamWin to make sure the signature(s) work. Delete this signature file from the database folder if you get a scan error. You can add signatures to the top of an existing MDB signature file (just add one blank line and copy/paste the signatures there—any lines needed will be added if there is more than one signature line. Delete any blank lines between signatures. If you add to the bottom of an existing signature file, you will get a scanning error.

Delete signatures after they are a month old, but MDB sigs may last longer, maybe 2 months.

Good luck! Feel free to ask questions.

Regards,

There is another type of signature I use--not very often, but it is probably the best/longest lasting sig. It takes some work with an analysis tool, however, and HDB/MDB sigs are faster. Let me know if you are interested in it.

Regards, and Good Luck!