[Community-sigs] GX40 ransomware
Christopher Marczewski
cmarczewski at sourcefire.com
Mon Apr 17 10:45:40 EDT 2017
Hello Askar,
Thank you for your submission. We're reviewing the signature & will keep
you posted.
On Sun, Apr 16, 2017 at 9:41 AM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
wrote:
> Info:
> - https://twitter.com/BleepinComputer/status/848702767246061568
>
> Samples:
> - https://www.virustotal.com/ru/file/2d7a92a8ad1271d0544148b7a37de0
> d2b2180750a6e7753a26f97b801c369fb4/analysis/1492349636/
> - https://www.virustotal.com/ru/file/b6cbd7f5f6d9946b27be877ab5bd82
> 05f64a4155ef202694dc2ce9fb2981c18d/analysis/1492349652/
>
> Hello! There is a simple logical signature for GX40 ransomware, that looks
> for specific strings:
>
> Win.Ransomware.GX40;Target:1;0&1&2&3&(4|(5>5)|6|7|8|9|10);
> 63006D0064002E00650078006500;3F00670065006E0065007200610074
> 006500;2E0078006C0073007800;2E0064006F0063007800;466174687572467265616B7A;
> 57696E646F777355706461746572;687474703A2F2F67616E65646174612E636F2E756B;
> 72616E736F6D77617265696E6340796F706D61696C2E636F6D;
> 33427379527A3273647658635752617963506F697A454835684162446D5763704E45;
> 696D706F7274616E742066696C65732068617665206265656E20656E63727970746564;
> 42006900740063006F0069006E00
>
> Best regards,
> Askar
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
--
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975
More information about the Community-sigs
mailing list