[clamav-users] Vbs.Trojan.AsyncRAT-9889434-1

Wed May 17 08:50:25 UTC 2023

* Andrew Salway via clamav-users <clamav-users at lists.clamav.net>:

> I’ve used “sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" to see its
> signature which I understand comprises some subsignatures, but I’ve
> not been able to find out details of what triggers this detection.

# sigtool --find="Vbs.Trojan.AsyncRAT-9889434-1" | sigtool --decode

VIRUS NAME: Vbs.Trojan.AsyncRAT-9889434-1
TDB: Engine:90-255,FileSize:0-2097152,Target:7

LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
urldecode

 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
msbuild.exe

 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
.xml

So it must be 0 AND 1 and 2.

0 is urldecode ANYWHERE
1 is msbuild.exe ANYWHERE
2 is .xml ANYWHERE

> By any chance is ClamAV using this yara rule https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Asyncrat.yar ?

Nope.

-- 
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt at charite.de
https://www.charite.de