Skip to content

Instantly share code, notes, and snippets.

@idiom

idiom/clamsigs.md

Created July 30, 2024 12:54
Show Gist options
  • Save idiom/12b9081bac2f7dd15b3d629cec070a76 to your computer and use it in GitHub Desktop.
Save idiom/12b9081bac2f7dd15b3d629cec070a76 to your computer and use it in GitHub Desktop.
Download ZIP
Viewing ClamAV Signatures
Raw
clamsigs.md

Use sigtool --findsigs to dump the rule data

sigtool --find-sigs Win.Malware.Generic-10008460-0

[daily.ldb] Win.Malware.Generic-10008460-0;Engine:81-255,Target:1;0&1&2&3&4;5c47686f737442726f777365725c5573657220446174615c44656661756c745c4c6f67696e2044617461::w;5c46656e72697220496e635c536c6569706e6972355c73657474696e675c6d6f64756c65735c4368726f6d69756d5669657765725c44656661756c745c4c6f67696e2044617461::w;5c436f6d6f646f5c447261676f6e5c5573657220446174615c44656661756c745c4c6f67696e2044617461::w;4243727970742e424372797074536574416c676f726974686d50726f7065727479284243727970742e4243525950545f434841494e494e475f4d4f44452c204243727970742e4243525950545f434841494e5f4d4f44455f47434d29206661696c656420776974682073746174757320636f64653a7b307d::w;5c4272617665536f6674776172655c42726176652d42726f777365725c5573657220446174615c44656661756c745c4c6f67696e2044617461::w

To get a readable format pipe the rule contents to sigtool --decode

echo 'Win.Malware.Generic-10008460-0;Engine:81-255,Target:1;0&1&2&3&4;5c47686f737442726f777365725c5573657220446174615c44656661756c745c4c6f67696e2044617461::w;5c46656e72697220496e635c536c6569706e6972355c73657474696e675c6d6f64756c65735c4368726f6d69756d5669657765725c44656661756c745c4c6f67696e2044617461::w;5c436f6d6f646f5c447261676f6e5c5573657220446174615c44656661756c745c4c6f67696e2044617461::w;4243727970742e424372797074536574416c676f726974686d50726f7065727479284243727970742e4243525950545f434841494e494e475f4d4f44452c204243727970742e4243525950545f434841494e5f4d4f44455f47434d29206661696c656420776974682073746174757320636f64653a7b307d::w;5c4272617665536f6674776172655c42726176652d42726f777365725c5573657220446174615c44656661756c745c4c6f67696e2044617461::w' | sigtool --decode

VIRUS NAME: Win.Malware.Generic-10008460-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
\GhostBrowser\User Data\Default\Login Data
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
\Comodo\Dragon\User Data\Default\Login Data
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0}
 * SUBSIG ID 4
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
\BraveSoftware\Brave-Browser\User Data\Default\Login Data
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment