Hello could you upload yara rules of Dino malware?
thanks indeed

Linux/Adware.Adstantinko.B

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

MD5: 762ae30efb7c40101ab33a297598f928
SHA1: e0969297f21ce3b3905ace756c427c9695cb9054

[1] https://www.virustotal.com/file/0a94e0487f01376524743196c112a50faacd4b6f8fea676d30741d09aa56595d/analysis/

Hi there,

Why is our software being flagged as malware?

Matches rule skip20_sqllang_hook
by Mathieu Tartare <[email protected]>
from ruleset skip20_sqllang_hook
at https://github.com/eset/malware-ioc

YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.

https://github.com/ConcealNetwork/conceal-desktop

Could you please assist?

Thank you

I know it might not be as popuar as before, but what happened to the MISP files added with the IOCs?
I was very happy to see you were using that format to share the IOC of the campaigns, but on the last few there are no files like that. Did you stop using MSIP?
Thanks

Hi Team,

Could you share a MISP ready file for your repo so users could just import the IOCs to their MISP?

Thanks!

looks like one of the lines under 'c2 domains' is:PolyglotDuke

I presume this is a mistaken inclusion?
(since it's not a domain)

https://github.com/eset/malware-ioc/tree/master/dukes#cc-domains

perl windigo_signatures.pl

Can't call method "f" on an undefined value at windigo_signatures.pl line 224.

This is perl 5, version 24, subversion 1 (v5.24.1) built for x86_64-linux-gnu-thread-multi
Linux wordpress-vm 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux

(this standart VM from template Word-Press-by-Bitnami from Google Cloud)

This work has rightly gone viral, and at least one person not understanding the "$/#" prompt convention has received a false "System infected" result: http://www.raspberrypi.org/phpBB3/viewtopic.php?p=522156#p522156

I hesitate to suggest a solution to this problem, because obviously none is perfect. But perhaps omitting the "$" on non-root commands would be safer than including it.

Any reason the https://github.com/eset/malware-ioc/tree/master/blacklotus do not have the three signed, legit yet vulnerable UEFI drivers?

hvloader.efi
bootmgr.efi
bootmgfw.efi

for AMD and Intel?

This link gives a 404 page. Is either a dead or misconfigured link.

Could you please fix it?

https://www.virustotal.com/gui/file/65aa9266c675e9e9ed55d4eb315a7a27804c24329c6ed7c908c504403317b12d/detection

I found one of the malware samples having an entry of https://gitlab.com/jhondeer123/test/raw/master/test.py .Please let me know if we can add this on the repo so that i could make a pull request.

If this are under bsd license I think it makes sense to include them in the alienvault otx, or ?