Linux/FileCoder (Linux.Encoder)

Forum for analysis and discussion about malware.

Re: Linux/FileCoder (Linux.Encoder)

Postby Blaze » Tue Nov 24, 2015 3:54 pm

K_Mikhail wrote:Linux.Encoder.2: https://news.drweb.com/show/?i=9709&lng=en&c=14

14ffe3ef5ccfbbc9a03ebd67d70b7cbf521db3f2
541966dd25ce48a8f54b270b9aed2fba3f021d29
57cf90a1cea89e13c3fd625854dd6b81228796b9
aebb9bf852d848e22e8a7bba4d64874c7953460d
b45f8f33ff54ece377fad73a8f89857c2bc114ac


Attached.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Linux/FileCoder (Linux.Encoder)

Postby Blaze » Thu Jan 07, 2016 2:19 pm

Two recent ones attached. Thanks @michalmalik.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Linux/FileCoder (Linux.Encoder)

Postby K_Mikhail » Tue Apr 25, 2017 9:48 am

Linux/FileCoder (Linux.Encoder) hash-snapshot on 25th April 2017:

SHA1 (Dr.Web || Kaspersky || NOD32):

810806c3967e03f2fa2b9223d24ee0e3d42209d3 (Linux.Encoder.1 || Trojan-Ransom.FreeBSD.Cryptor.a || Linux/Filecoder.A);
5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.a || Linux/Filecoder.A);
12df5d886d43236582b57d036f84f078c15a14b0 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.a || Linux/Filecoder.A);
98e057a4755e89fbfda043eaca1ab072674a3154 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.A);
a5054babc853ec280f70a06cb090e05259ca1aa7 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.A);

541966dd25ce48a8f54b270b9aed2fba3f021d29 (Linux.Encoder.2 || Trojan-Ransom.Linux.Cryptor.c || Linux/Filecoder.B);
b45f8f33ff54ece377fad73a8f89857c2bc114ac (Linux.Encoder.2 || Trojan-Ransom.Linux.Cryptor.c || Linux/Filecoder.B);
aebb9bf852d848e22e8a7bba4d64874c7953460d (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.B);
14ffe3ef5ccfbbc9a03ebd67d70b7cbf521db3f2 (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.B);
57cf90a1cea89e13c3fd625854dd6b81228796b9 (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.C);

f1b8da40feb1abeaa1b7f1322f48f9d96a018a00 (Linux.Encoder.3 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.D);
989750746f58904c377ba7edc22c5dfad3e40855 (Linux.Encoder.3|| HEUR:Trojan-Ransom.Linux.Cryptor.b || a variant of Linux/Filecoder.D);
21e4dc8307109bdd3a31292c655bb4cb152520cd (Linux.Encoder.3 || HEUR:Trojan-Ransom.Linux.Cryptor.b || a variant of Linux/Filecoder.D);

2eaa2873974123044558b28a170cb5089772cda8 (Linux.Encoder.4 || Trojan-Ransom.Shell.Agent.b || Linux/Filecoder.E);
5c91ec8d58205338de89211f30d59d334773c5fd (Linux.Encoder.4 || HEUR:Trojan-Ransom.Shell.Agent.b || Linux/Filecoder.E);

1dbc546dc267c399f3f8c69172aff06ddb35f828 (Linux.Encoder.5 || HEUR:Trojan-Ransom.Linux.Cryptor.d || a variant of Linux/Filecoder.RaaS.A);

e460b9fffd9218db1191e07eca2197d83aec64cc (Linux.Encoder.6 || HEUR:Trojan-Ransom.Linux.Arttec.a || a variant of Linux/Filecoder.F);

a852b4c1f0b95f09bafeb3ab4f5d8f1f9cbc97d5 (Linux.Encoder.7 || HEUR:Trojan-Ransom.Linux.Cryptor.f || Linux/Filecoder.H).

If someone knows other hashes of *nix filecoders, you're welcome!
K_Mikhail
 
Posts: 41
Joined: Tue Apr 13, 2010 4:13 pm
Reputation point: 15

Re: Linux/FileCoder (Linux.Encoder)

Postby K_Mikhail » Sun May 14, 2017 1:47 pm

K_Mikhail wrote:Linux/FileCoder (Linux.Encoder) hash-snapshot on 25th April 2017:

SHA1 (Dr.Web || Kaspersky || NOD32):

810806c3967e03f2fa2b9223d24ee0e3d42209d3 (Linux.Encoder.1 || Trojan-Ransom.FreeBSD.Cryptor.a || Linux/Filecoder.A);
5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.a || Linux/Filecoder.A);
12df5d886d43236582b57d036f84f078c15a14b0 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.a || Linux/Filecoder.A);
98e057a4755e89fbfda043eaca1ab072674a3154 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.A);
a5054babc853ec280f70a06cb090e05259ca1aa7 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.A);

541966dd25ce48a8f54b270b9aed2fba3f021d29 (Linux.Encoder.2 || Trojan-Ransom.Linux.Cryptor.c || Linux/Filecoder.B);
b45f8f33ff54ece377fad73a8f89857c2bc114ac (Linux.Encoder.2 || Trojan-Ransom.Linux.Cryptor.c || Linux/Filecoder.B);
aebb9bf852d848e22e8a7bba4d64874c7953460d (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.B);
14ffe3ef5ccfbbc9a03ebd67d70b7cbf521db3f2 (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.B);
57cf90a1cea89e13c3fd625854dd6b81228796b9 (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.C);

f1b8da40feb1abeaa1b7f1322f48f9d96a018a00 (Linux.Encoder.3 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.D);
989750746f58904c377ba7edc22c5dfad3e40855 (Linux.Encoder.3|| HEUR:Trojan-Ransom.Linux.Cryptor.b || a variant of Linux/Filecoder.D);
21e4dc8307109bdd3a31292c655bb4cb152520cd (Linux.Encoder.3 || HEUR:Trojan-Ransom.Linux.Cryptor.b || a variant of Linux/Filecoder.D);

2eaa2873974123044558b28a170cb5089772cda8 (Linux.Encoder.4 || Trojan-Ransom.Shell.Agent.b || Linux/Filecoder.E);
5c91ec8d58205338de89211f30d59d334773c5fd (Linux.Encoder.4 || HEUR:Trojan-Ransom.Shell.Agent.b || Linux/Filecoder.E);

1dbc546dc267c399f3f8c69172aff06ddb35f828 (Linux.Encoder.5 || HEUR:Trojan-Ransom.Linux.Cryptor.d || a variant of Linux/Filecoder.RaaS.A);

e460b9fffd9218db1191e07eca2197d83aec64cc (Linux.Encoder.6 || HEUR:Trojan-Ransom.Linux.Arttec.a || a variant of Linux/Filecoder.F);

a852b4c1f0b95f09bafeb3ab4f5d8f1f9cbc97d5 (Linux.Encoder.7 || HEUR:Trojan-Ransom.Linux.Cryptor.f || Linux/Filecoder.H).

If someone knows other hashes of *nix filecoders, you're welcome!


be9d1a4dc0755a8cb16fd441c49e3231207600a6 ( - (probably, will be Linux.Encoder.8 in some future) || HEUR:Trojan-Ransom.Linux.Cryptor.g || Linux/Filecoder.J (due to response from ESET Malware Response Team))
K_Mikhail
 
Posts: 41
Joined: Tue Apr 13, 2010 4:13 pm
Reputation point: 15

Re: Linux/FileCoder (Linux.Encoder)

Postby tWiCe » Thu May 18, 2017 7:13 pm

K_Mikhail wrote:be9d1a4dc0755a8cb16fd441c49e3231207600a6 ( - (probably, will be Linux.Encoder.8 in some future) || HEUR:Trojan-Ransom.Linux.Cryptor.g || Linux/Filecoder.J (due to response from ESET Malware Response Team))


It's not a trojan. It's a task from CTF.
tWiCe
 
Posts: 49
Joined: Sat Jul 18, 2015 8:56 am
Reputation point: 25

Re: Linux/FileCoder (Linux.Encoder)

Postby K_Mikhail » Fri May 19, 2017 12:25 pm

tWiCe wrote:
K_Mikhail wrote:be9d1a4dc0755a8cb16fd441c49e3231207600a6 ( - (probably, will be Linux.Encoder.8 in some future) || HEUR:Trojan-Ransom.Linux.Cryptor.g || Linux/Filecoder.J (due to response from ESET Malware Response Team))


It's not a trojan. It's a task from CTF.


Yes, thanks! The same feedback I've got from Dr.Web's viruslab. Waiting for details from KL's viruslab at this moment.
K_Mikhail
 
Posts: 41
Joined: Tue Apr 13, 2010 4:13 pm
Reputation point: 15

Re: Linux/FileCoder (Linux.Encoder)

Postby K_Mikhail » Fri May 26, 2017 10:57 am

K_Mikhail wrote:
tWiCe wrote:
K_Mikhail wrote:be9d1a4dc0755a8cb16fd441c49e3231207600a6 ( - (probably, will be Linux.Encoder.8 in some future) || HEUR:Trojan-Ransom.Linux.Cryptor.g || Linux/Filecoder.J (due to response from ESET Malware Response Team))


It's not a trojan. It's a task from CTF.


Yes, thanks! The same feedback I've got from Dr.Web's viruslab. Waiting for details from KL's viruslab at this moment.


've got feedback from KL viruslab: "This sample encrypts file(-s) in current folder with no alerts for user. So, we have no reasons to put the detection off."
K_Mikhail
 
Posts: 41
Joined: Tue Apr 13, 2010 4:13 pm
Reputation point: 15

Re: Linux/FileCoder (Linux.Encoder)

Postby K_Mikhail » Mon May 29, 2017 8:24 am

+0970517c94e7ce891b2808ec614cd075a2fe4ec8: [0/56]: https://virustotal.com/ru/file/cdf46ec2 ... 496045816/
K_Mikhail
 
Posts: 41
Joined: Tue Apr 13, 2010 4:13 pm
Reputation point: 15

Re: Linux/FileCoder (Linux.Encoder)

Postby K_Mikhail » Tue Jun 13, 2017 7:58 am

SHA1: d7b0255d7d98c33a30fe71543ec98d802c2a2dd7 FileCoder.O (NOD32) || Ransom:Linux/Erebus.A: https://www.virustotal.com/en/file/d889 ... /analysis/

UPD: SHA1: ffebffc89a0b417e56dea3fdce962ee54f7ce00f : https://www.virustotal.com/en/file/0b79 ... /analysis/
K_Mikhail
 
Posts: 41
Joined: Tue Apr 13, 2010 4:13 pm
Reputation point: 15

Previous

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest