[Community-sigs] Satan Ransomware RaaS downloader

Mon Apr 3 16:12:55 EDT 2017

Hello Askar,

Thank you for your submission. We're currently reviewing these signatures &
will be sure to keep you posted.

On Sat, Apr 1, 2017 at 4:41 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
wrote:

> Hello!
>
> There is simple logical signature for Satan Ransomware RaaS downloader (at
> RaaS website classified as "dropper"), that looks for specific strings (at
> HTML and TEXT format):
>
> Win.Downloader.Satan.HTML;Engine:51-255,Target:3;0&1&2&
> 3&4&5&(6>1)&7&8&9&10&11&12&13&14;706F7765727368656C6C;
> 657865637574696F6E706F6C696379;627970617373;77696E646F777374796C65;
> 68696464656E;636F6D6D616E64;6E65772D6F626A656374;
> 73797374656D2E6E65742E776562636C69656E74;646F776E6C6F616464617461;
> 636F756E74;6C656E677468;62786F72;73797374656D2E636F6E76657274;
> 7772697465616C6C6279746573;7368656C6C65786563757465
>
> Win.Downloader.Satan.TXT;Engine:51-255,Target:7;0&1&2&
> 3&4&5&(6>1)&7&8&9&10&11&12&13&14;706F7765727368656C6C;
> 657865637574696F6E706F6C696379;627970617373;77696E646F777374796C65;
> 68696464656E;636F6D6D616E64;6E65772D6F626A656374;
> 73797374656D2E6E65742E776562636C69656E74;646F776E6C6F616464617461;
> 636F756E74;6C656E677468;62786F72;73797374656D2E636F6E76657274;
> 7772697465616C6C6279746573;7368656C6C65786563757465
>
> Best regards,
> Askar
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975