Greetings. 

 

I’m somewhat new to the ClamAV world, so my apologies up front.

 

I’m attempting to determine if a specific ransomware, Friedex.d, a variant of Iencrypt, is being scanned for with the current definitions.

I came across an article that basically said to dump the database and search for the name.  So I did,

 

                # mkdir signatures

                # cd signatures

                # sigtool –unpack=/var/lib/clamav/main.cvd

                # grep -i “ransom.win32.friedex.d” *

                # grep -i “efc3418eb170c6bf503140cff504eec8” *                                 ## MD5 hash of the Ransomware

                # grep -i “be30850f25e01c84f218022199791911ce64b580” *           ## SHA1 hash

 

No results from any of those greps.  My immediate thought is that it’s not in the definition files.  But then I can’t find anywhere on the website to submit data for a known piece of ransomware that ClamAV does not appear to have defined.  Here’s the data that I have:

 

Threat Type	Targeted Ransomware
Virus Name	Ransom.Win32.FRIEDEX.D Variant of Iencrypt
Hash	MD5: efc3418eb170c6bf503140cff504eec8  SHA1: be30850f25e01c84f218022199791911ce64b580
IP Point of Origin	Empire C2: 185.92.74.215 Brute Force: 185.92.74.133
Other tools	Mimikatz PowerShell Empire PS-EXEC
Virus Details	SIZE: 135,168  FILE TYPE: EXE  MEMORY RESIDENT: Yes  ENCRYPTED: Yes

 

Perhaps I just am not looking correctly, or I’m not looking in the right place?  Or maybe I’m just going about this hunt in the wrong way!

 

Thank you in advance!

 

Scott