[Community-sigs] PyCL Ransomware
Askar Dyussekeyev
dyussekeyev at yandex.kz
Wed Mar 29 16:33:08 EDT 2017
Good day!
There are few signatures for actual ransomware
Info:
- https://www.bleepingcomputer.com/news/security/pycl-ransomware-delivered-via-rig-ek-in-distribution-test/
Samples:
- https://www.virustotal.com/en/file/80d402f38ff9849ea5e9f8a126e00f423ca1b4f1121c8059aebed8336bfc6f30/analysis/
- https://www.virustotal.com/en/file/fc2f4904fa71ec4c1e3c73cbac03a57d701409634e3a8a23b05d15edca28d7de/analysis/
- https://www.virustotal.com/en/file/b01d1230f31200a5f195b7f44fcc552a71b9bfe131f7b8eccd2466eb66a952dc/analysis/
- https://www.virustotal.com/ru/file/379df8b4dccd7568204b91838fe6ec35ec5516388d39500b5afcaf6809207879/analysis/
1. Signature for filecryptor (sha256: fc2f4904fa71ec4c1e3c73cbac03a57d701409634e3a8a23b05d15edca28d7de) looks for specific string:
Win.Filecryptor.PyCL:1:29942:5C486F775F446563727970745F4D795F46696C65735C696E6465782E68746D6C
2. Signature for ransomware's component (sha256: b01d1230f31200a5f195b7f44fcc552a71b9bfe131f7b8eccd2466eb66a952dc) looks for specific string:
Win.Agent.PyCL:1:538913:596F757220506572736F6E616C2046696C65732041726520456E63727970746564
3. Signature for bat-script (sha256: 379df8b4dccd7568204b91838fe6ec35ec5516388d39500b5afcaf6809207879) looks for specific piece of code:
Win.BAT.PyCL:7:84:6563686F20736C696E6B66696C65203D202225686F6D6564726976652525686F6D6570617468255C6465736B746F705C686F772064656372797074206D792066696C65732E6C6E6B22
Best regards,
Askar Dyussekeyev
More information about the Community-sigs
mailing list