A forum for reverse engineering, OS internals and malware analysis
K_Mikhail wrote:Linux.Encoder.2: https://news.drweb.com/show/?i=9709&lng=en&c=14Attached.
14ffe3ef5ccfbbc9a03ebd67d70b7cbf521db3f2
541966dd25ce48a8f54b270b9aed2fba3f021d29
57cf90a1cea89e13c3fd625854dd6b81228796b9
aebb9bf852d848e22e8a7bba4d64874c7953460d
b45f8f33ff54ece377fad73a8f89857c2bc114ac
K_Mikhail wrote:Linux/FileCoder (Linux.Encoder) hash-snapshot on 25th April 2017:be9d1a4dc0755a8cb16fd441c49e3231207600a6 ( - (probably, will be Linux.Encoder.8 in some future) || HEUR:Trojan-Ransom.Linux.Cryptor.g || Linux/Filecoder.J (due to response from ESET Malware Response Team))
SHA1 (Dr.Web || Kaspersky || NOD32):
810806c3967e03f2fa2b9223d24ee0e3d42209d3 (Linux.Encoder.1 || Trojan-Ransom.FreeBSD.Cryptor.a || Linux/Filecoder.A);
5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.a || Linux/Filecoder.A);
12df5d886d43236582b57d036f84f078c15a14b0 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.a || Linux/Filecoder.A);
98e057a4755e89fbfda043eaca1ab072674a3154 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.A);
a5054babc853ec280f70a06cb090e05259ca1aa7 (Linux.Encoder.1 || Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.A);
541966dd25ce48a8f54b270b9aed2fba3f021d29 (Linux.Encoder.2 || Trojan-Ransom.Linux.Cryptor.c || Linux/Filecoder.B);
b45f8f33ff54ece377fad73a8f89857c2bc114ac (Linux.Encoder.2 || Trojan-Ransom.Linux.Cryptor.c || Linux/Filecoder.B);
aebb9bf852d848e22e8a7bba4d64874c7953460d (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.B);
14ffe3ef5ccfbbc9a03ebd67d70b7cbf521db3f2 (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.B);
57cf90a1cea89e13c3fd625854dd6b81228796b9 (Linux.Encoder.2 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.C);
f1b8da40feb1abeaa1b7f1322f48f9d96a018a00 (Linux.Encoder.3 || HEUR:Trojan-Ransom.Linux.Cryptor.b || Linux/Filecoder.D);
989750746f58904c377ba7edc22c5dfad3e40855 (Linux.Encoder.3|| HEUR:Trojan-Ransom.Linux.Cryptor.b || a variant of Linux/Filecoder.D);
21e4dc8307109bdd3a31292c655bb4cb152520cd (Linux.Encoder.3 || HEUR:Trojan-Ransom.Linux.Cryptor.b || a variant of Linux/Filecoder.D);
2eaa2873974123044558b28a170cb5089772cda8 (Linux.Encoder.4 || Trojan-Ransom.Shell.Agent.b || Linux/Filecoder.E);
5c91ec8d58205338de89211f30d59d334773c5fd (Linux.Encoder.4 || HEUR:Trojan-Ransom.Shell.Agent.b || Linux/Filecoder.E);
1dbc546dc267c399f3f8c69172aff06ddb35f828 (Linux.Encoder.5 || HEUR:Trojan-Ransom.Linux.Cryptor.d || a variant of Linux/Filecoder.RaaS.A);
e460b9fffd9218db1191e07eca2197d83aec64cc (Linux.Encoder.6 || HEUR:Trojan-Ransom.Linux.Arttec.a || a variant of Linux/Filecoder.F);
a852b4c1f0b95f09bafeb3ab4f5d8f1f9cbc97d5 (Linux.Encoder.7 || HEUR:Trojan-Ransom.Linux.Cryptor.f || Linux/Filecoder.H).
If someone knows other hashes of *nix filecoders, you're welcome!
K_Mikhail wrote:be9d1a4dc0755a8cb16fd441c49e3231207600a6 ( - (probably, will be Linux.Encoder.8 in some future) || HEUR:Trojan-Ransom.Linux.Cryptor.g || Linux/Filecoder.J (due to response from ESET Malware Response Team))It's not a trojan. It's a task from CTF.
tWiCe wrote:Yes, thanks! The same feedback I've got from Dr.Web's viruslab. Waiting for details from KL's viruslab at this moment.K_Mikhail wrote:be9d1a4dc0755a8cb16fd441c49e3231207600a6 ( - (probably, will be Linux.Encoder.8 in some future) || HEUR:Trojan-Ransom.Linux.Cryptor.g || Linux/Filecoder.J (due to response from ESET Malware Response Team))It's not a trojan. It's a task from CTF.
K_Mikhail wrote:'ve got feedback from KL viruslab: "This sample encrypts file(-s) in current folder with no alerts for user. So, we have no reasons to put the detection off."tWiCe wrote:Yes, thanks! The same feedback I've got from Dr.Web's viruslab. Waiting for details from KL's viruslab at this moment.K_Mikhail wrote:be9d1a4dc0755a8cb16fd441c49e3231207600a6 ( - (probably, will be Linux.Encoder.8 in some future) || HEUR:Trojan-Ransom.Linux.Cryptor.g || Linux/Filecoder.J (due to response from ESET Malware Response Team))It's not a trojan. It's a task from CTF.
