[Community-sigs] SADStory ransomware

Christopher Marczewski cmarczewski at sourcefire.com
Mon Apr 10 11:28:09 EDT 2017 

Askar,

We modified the signature to avoid use of the absolute offsets. With the
same pattern matches in the form of an LDB signature, hopefully we'll alert
on additional samples:

Win.Ransomware.SADStory;Engine:51-255,Target:1;0&1;6c7563696665722e666f6f6c4079616e6465782e636f6d;68747470733a2f2f7777772e6c696c7977686f2e69652f6a732f78617865702f

Pending a successful FP test, the signature will be published soon. Thanks
again for your contribution.

On Thu, Mar 30, 2017 at 10:19 AM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> Askar,
>
> Thank you again for another submission this week. This signature is
> currently under review.
>
> We'll be sure to keep you posted.
>
> On Thu, Mar 30, 2017 at 10:07 AM, Askar Dyussekeyev <dyussekeyev at yandex.kz
> > wrote:
>
>> Hello!
>>
>> There is signature for SADStory ransomware.
>>
>> Info:
>> - https://twitter.com/malwrhunterteam/status/845356853039190016
>>
>> Samples:
>> - https://virustotal.com/ru/file/5ffcc8e0a35446289fd8c8f5dff03
>> 590bb7eac02b665b364bb87b2961797401c/analysis/
>> - https://www.hybrid-analysis.com/sample/5ffcc8e0a35446289fd8c
>> 8f5dff03590bb7eac02b665b364bb87b2961797401c?environmentId=100
>>
>> Signature for python-based filecryptor (sha256:
>> 5ffcc8e0a35446289fd8c8f5dff03590bb7eac02b665b364bb87b2961797401c) looks
>> for specific string:
>> Win.Filecryptor.SADStory:1:2453236:6C7563696665722E666F6F6C4
>> 079616E6465782E636F6D??????????????????????68747470733A2F2F7
>> 777772E6C696C7977686F2E69652F6A732F78617865702F
>>
>> Best regards,
>> Askar
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.832.2975 <(443)%20832-2975>
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975

More information about the Community-sigs mailing list