Win.Malware.Agent-9914239-0 will be published shortly and covers both DLL samples.
On Thu, Nov 18, 2021 at 2:16 PM Christopher Marczewski < [email protected]> wrote: > Hello Alessandro, > > Given the SHA256 hashes in those replies, we've confirmed it was the > original e-mail and your subsequent reply that were submitted to us, not > the DLL files themselves. I'll take a look at both binaries and reply back > with the signature names. > > Hope this helps! > > On Thu, Nov 18, 2021 at 1:49 PM Alessandro Vesely via clamav-users < > [email protected]> wrote: > >> Hi all, >> >> even though I filter incoming messages with ClamAV, last Monday I >> received a mail with two suspicious attachments. They were PE32+ >> executable (DLL) (GUI) x86-64, for MS Windows. I uploaded the samples to >> virustotal.com, who reported they were recognized as troyans. I saved >> the viral message and uploaded it to >> https://www.clamav.net/reports/malware. On Tuesday I received the >> following message: >> >> -------- Forwarded Message -------- >> Subject: ClamAV.net - Your malware submission >> Date: Tue, 16 Nov 2021 07:23:26 +0000 (UTC) >> From: [email protected] >> To: [email protected] >> >> >> >> Alessandro Vesely, >> >> Thank you again for your submission. >> >> Your File: >> purchase-ORD (SHA256: >> 2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a) >> >> >> Our initial assessment shows that this file is possibly clean. If you >> provided a description that suggests otherwise, we will further examine the >> sample & proceed from there. >> >> -The ClamAV team >> -------- End Of Forwarded Message -------- >> >> >> "If you provided" looked like a future unreal conditional to me. It is >> certainly unreal, given the From:. Anyway, I replied something like the >> following text: >> >> >> https://www.virustotal.com/gui/file/40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58 >> 10 security vendors flagged this file as malicious >> 40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58 >> Notificaion-30714_20211115.xll >> >> >> https://www.virustotal.com/gui/file/8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21 >> 11 security vendors flagged this file as malicious >> 8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21 >> Document-055293_20211115.xll >> >> >> However, on Wednesday it bounced, because ClamAV's mail server, >> tad.clamav.net, is persistently down. I thought that was a temporary >> hiccup and pehaps the ClamAV team wasn't even aware of it. So I saved the >> bounce, which contained the whole original message, and uploaded it to the >> same location, explaining that the attachment was a reply to their message, >> not a sample. Guess what I received on Thursday? >> >> >> -------- Forwarded Message -------- >> Subject: ClamAV.net - Your malware submission >> Date: Thu, 18 Nov 2021 08:52:21 +0000 (UTC) >> From: [email protected] >> To: [email protected] >> >> >> >> Alessandro Vesely, >> >> Thank you again for your submission. >> >> Your File: >> reply-to-Clamav-Team (SHA256: >> e9876ec9577e7c1b4a38236a6d18306e57e618a46d4bcfd1837cfd7e9238c281) >> >> >> Our initial assessment shows that this file is possibly clean. If you >> provided a description that suggests otherwise, we will further examine the >> sample & proceed from there. >> >> -The ClamAV team >> -------- End Of Forwarded Message -------- >> >> >> What's the purpose of such messages? >> >> >> Meanwhile, tad.clamav.net is still down. >> >> Best >> Ale >> -- >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> clamav-users mailing list >> [email protected] >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > -- > Christopher Marczewski > Research Engineer, Talos > Cisco Systems > 443-832-2975 > -- Christopher Marczewski Research Engineer, Talos Cisco Systems 443-832-2975
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
