[Community-sigs] PyCL Ransomware
Christopher Marczewski
cmarczewski at sourcefire.com
Thu Mar 30 10:18:21 EDT 2017
Askar,
Thank you for your submissions. These signatures are currently under review.
We'll be sure to keep you posted.
On Wed, Mar 29, 2017 at 4:33 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
wrote:
> Good day!
>
> There are few signatures for actual ransomware
>
> Info:
> - https://www.bleepingcomputer.com/news/security/pycl-
> ransomware-delivered-via-rig-ek-in-distribution-test/
>
> Samples:
> - https://www.virustotal.com/en/file/80d402f38ff9849ea5e9f8a126e00f
> 423ca1b4f1121c8059aebed8336bfc6f30/analysis/
> - https://www.virustotal.com/en/file/fc2f4904fa71ec4c1e3c73cbac03a5
> 7d701409634e3a8a23b05d15edca28d7de/analysis/
> - https://www.virustotal.com/en/file/b01d1230f31200a5f195b7f44fcc55
> 2a71b9bfe131f7b8eccd2466eb66a952dc/analysis/
> - https://www.virustotal.com/ru/file/379df8b4dccd7568204b91838fe6ec
> 35ec5516388d39500b5afcaf6809207879/analysis/
>
> 1. Signature for filecryptor (sha256: fc2f4904fa71ec4c1e3c73cbac03a5
> 7d701409634e3a8a23b05d15edca28d7de) looks for specific string:
> Win.Filecryptor.PyCL:1:29942:5C486F775F446563727970745F4D79
> 5F46696C65735C696E6465782E68746D6C
>
> 2. Signature for ransomware's component (sha256:
> b01d1230f31200a5f195b7f44fcc552a71b9bfe131f7b8eccd2466eb66a952dc) looks
> for specific string:
> Win.Agent.PyCL:1:538913:596F757220506572736F6E616C2046
> 696C65732041726520456E63727970746564
>
> 3. Signature for bat-script (sha256: 379df8b4dccd7568204b91838fe6ec
> 35ec5516388d39500b5afcaf6809207879) looks for specific piece of code:
> Win.BAT.PyCL:7:84:6563686F20736C696E6B66696C6520
> 3D202225686F6D6564726976652525686F6D6570617468255C6465736B74
> 6F705C686F772064656372797074206D792066696C65732E6C6E6B22
>
> Best regards,
> Askar Dyussekeyev
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
--
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975
More information about the Community-sigs
mailing list