Re: [clamav-users] Keymarble Yara rule?

2018-08-17 Thread Al Varnell
Yes, I'm fully aware of that. There have been exceptions made for certain individuals engaged in malware research, but I was turned down and told to use the ClamAV account, but they weren't willing to share unless I went through a tedious vetting process. -Al- On Fri, Aug 17, 2018 at 04:38

Re: [clamav-users] Keymarble Yara rule?

2018-08-17 Thread Alessandro Vesely
On Wed 15/Aug/2018 01:48:07 +0200 Al Varnell wrote: > Sorry, I wasn't clear. I meant the malware sample, not your dummy. To retrieve a sample from VirusTotal, one must work for a _company_ subscribed to their premium services... Best Ale -- ___

Re: [clamav-users] Keymarble Yara rule?

2018-08-14 Thread Al Varnell
Sorry, I wasn't clear. I meant the malware sample, not your dummy. -Al- On Tue, Aug 14, 2018 at 11:24 AM, Alessandro Vesely wrote: > On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote: > >> I don't quite understand why you think it might not detect it. >> >> Text strings are not required to

Re: [clamav-users] Keymarble Yara rule?

2018-08-14 Thread Alessandro Vesely
On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote: > I don't quite understand why you think it might not detect it.  > > Text strings are not required to have an even number of digits. The hex > equivalent to that string would be: {62 63 39 [...] 34 30}. As > long as the string appears in a

Re: [clamav-users] Keymarble Yara rule?

2018-08-14 Thread Alessandro Vesely
On Sun 12/Aug/2018 14:04:06 +0200 Arnaud Jacques wrote: > > > Le 12/08/2018 à 13:59, Alessandro Vesely a écrit : >> On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote: >> >>> Hi there, >>> >>> On Sat, 11 Aug 2018, Alessandro Vesely wrote: >>> >>> Re: Keymarble Yara rule?   4d 5a

Re: [clamav-users] Keymarble Yara rule?

2018-08-12 Thread Al Varnell
I don't quite understand why you think it might not detect it. Text strings are not required to have an even number of digits. The hex equivalent to that string would be: {62 63 39 62 37 35 61 33 31 31 37 37 35 38 37 32 34 35 33 30 35 63 64 34 31 38 62 38 64 66 37 38 36 35 32 64 31 63 30 33

Re: [clamav-users] Keymarble Yara rule?

2018-08-12 Thread Arnaud Jacques
Le 12/08/2018 à 13:59, Alessandro Vesely a écrit : On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote: Hi there, On Sat, 11 Aug 2018, Alessandro Vesely wrote: Re: Keymarble Yara rule?   4d 5a 74 68 69 73 20 69  73 20 61 20 64 75 6d 6d  |MZthis is a dumm| 0010  79 20 6b 65 79

Re: [clamav-users] Keymarble Yara rule?

2018-08-12 Thread Alessandro Vesely
On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote: > Hi there, > > On Sat, 11 Aug 2018, Alessandro Vesely wrote: > > Re: Keymarble Yara rule? >>   4d 5a 74 68 69 73 20 69  73 20 61 20 64 75 6d 6d  |MZthis is a >> dumm| >> 0010  79 20 6b 65 79 6d 61 72  62 6c 65 20 66 69 6c 65 

Re: [clamav-users] Keymarble Yara rule?

2018-08-12 Thread Alessandro Vesely
On Sat 11/Aug/2018 23:11:07 +0200 Al Varnell wrote: > Here's the VirusTotal page on this file > > and it does show that ClamAV detects it as Win.Trojan.Agent-6641267-0 > which was just

Re: [clamav-users] Keymarble Yara rule?

2018-08-11 Thread Al Varnell
Here's the VirusTotal page on this file > and it does show that ClamAV

Re: [clamav-users] Keymarble Yara rule?

2018-08-11 Thread G.W. Haywood
Hi there, On Sat, 11 Aug 2018, Alessandro Vesely wrote: Re: Keymarble Yara rule? 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d |MZthis is a dumm| 0010 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65 |y keymarble file| 0020 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61

Re: [clamav-users] Keymarble Yara rule?

2018-08-11 Thread Alessandro Vesely
Well, in this case ClamAV supports YARA enough to get: ~/tmp$ clamscan -d keymarble.yara keymarble-dummy keymarble-dummy: YARA.rsa_modulus.UNOFFICIAL FOUND --- SCAN SUMMARY --- Known viruses: 1 Engine version: 0.100.0 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data

Re: [clamav-users] Keymarble Yara rule?

2018-08-10 Thread Al Varnell
I'm not sure how widely Yara is being used in current A-V scanning, but I would have to guess it's not fully implemented by many. I am aware that the current ClamAV scanner does not handle all the latest features and there are only UNOFFICIAL rule available, so the scanner on VirusTotal would

[clamav-users] Keymarble Yara rule?

2018-08-10 Thread Alessandro Vesely
Hi all, has anybody seen this Malware Analysis Report (AR18-221A) MAR-10135536-17 – North Korean Trojan: KEYMARBLE https://www.us-cert.gov/ncas/analysis-reports/AR18-221A ? I created a file "keymarble-dummy", whose hex dump looks like so: 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d