Among other things. I apologize if this is the wrong venue to ask for help, but figured it's better than creating an issue on Github.
But, using Nextron's Thor-lite scan on Linux instances (Arch and Clear) I'm getting detection's for.. This may be easier: Alert 1 Apr 29 14:24:51 archlinux/10.1.0.22 MODULE: ProcessCheck MESSAGE: Malicious process found PID: 4894 COMMAND: /usr/bin/clamd PPID: 2974 PARENT: /usr/lib/systemd/systemd PROCESS_NAME: clamd OWNER: clamav CREATED: Mon Apr 29 08:46:59 2024 SESSION: IMAGE_FILE: /usr/bin/clamd IMAGE_TYPE: ELF IMAGE_SIZE: 202784 IMAGE_MD5: 22015cf434970e1a01049f7042f96ab4 IMAGE_SHA1: 848a49c96a4e9665bca2ef6cbb950df163d7afd1 IMAGE_SHA256: 8b880a7fdbbb88caad19bc8b4f48b392a9fd62205eea021b8fa136713a868364 IMAGE_FIRSTBYTES: 7f454c4602010100000000000000000003003e00 / ELF> IMAGE_CHANGED: Mon Apr 8 17:40:15.688 2024 IMAGE_MODIFIED: Fri Oct 27 15:12:58.000 2023 IMAGE_ACCESSED: Sun Apr 28 20:36:44.232 2024 IMAGE_PERMISSIONS: -rwxr-xr-x IMAGE_OWNER: root IMAGE_GROUP: root CONNECTION_COUNT: 0 LISTEN_PORTS: FILE_1: /usr/bin/clamd EXISTS_1: yes TYPE_1: ELF SIZE_1: 202784 MD5_1: 22015cf434970e1a01049f7042f96ab4 SHA1_1: 848a49c96a4e9665bca2ef6cbb950df163d7afd1 SHA256_1: 8b880a7fdbbb88caad19bc8b4f48b392a9fd62205eea021b8fa136713a868364 FIRSTBYTES_1: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_1: root GROUP_1: root FILE_2: /usr/lib/systemd/systemd EXISTS_2: yes TYPE_2: ELF SIZE_2: 100560 MD5_2: 80865b96a49686b2b25c901bf2e71feb SHA1_2: c1354e27304011b60b8ec02b2305088119e01027 SHA256_2: 95a6795b21f6211638eea1a0e815dd87708bb75b553ed759f941689c6790ed69 FIRSTBYTES_2: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_2: root GROUP_2: root REASON_1: YARA rule HKTL_Meterpreter_inMemory / Detects Meterpreter in-memory SUBSCORE_1: 85 REF_1: https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ SIGTYPE_1: internal SIGCLASS_1: YARA Rule MATCHED_1 WS2_32.dll at 0x7eeb8c64bd25 ReflectiveLoader at 0x7eeb6786d69f RULEDATE_1: 2020-06-29 TAGS_1: HKTL, METASPLOIT RULENAME_1: HKTL_Meterpreter_inMemory AUTHOR_1: netbiosX, Florian Roth REASON_2: YARA rule sql_php_php / Semi-Auto-generated - file sql.php.php.txt SUBSCORE_2: 75 REF_2: - SIGTYPE_2: internal SIGCLASS_2: YARA Rule MATCHED_2 http://rst.void.ru at 0x7eeb2ebb440d RULEDATE_2: 1970-01-01 TAGS_2: T1505_003, WEBSHELL RULENAME_2: sql_php_php AUTHOR_2: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_3: YARA rule lamashell_php / Semi-Auto-generated - file lamashell.php.txt SUBSCORE_3: 75 REF_3: - SIGTYPE_3: internal SIGCLASS_3: YARA Rule MATCHED_3 lama's'hell at 0x7eeb2ebb4769 RULEDATE_3: 1970-01-01 TAGS_3: T1505_003, WEBSHELL RULENAME_3: lamashell_php AUTHOR_3: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_4: YARA rule ironshell_php / Semi-Auto-generated - file ironshell.php.txt SUBSCORE_4: 75 REF_4: - SIGTYPE_4: internal SIGCLASS_4: YARA Rule MATCHED_4 $cookiename = "wieeeee"; at 0x7eeb2ebb201a RULEDATE_4: 1970-01-01 TAGS_4: T1505_003, WEBSHELL RULENAME_4: ironshell_php AUTHOR_4: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_5: YARA rule h4ntu_shell__powered_by_tsoi_ / Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt SUBSCORE_5: 75 REF_5: - SIGTYPE_5: internal SIGCLASS_5: YARA Rule MATCHED_5 h4ntu shell at 0x7eeb4bf91649 system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); at 0x7eeb2ebb3678 RULEDATE_5: 1970-01-01 TAGS_5: SCRIPT, T1505_003, WEBSHELL RULENAME_5: h4ntu_shell__powered_by_tsoi_ AUTHOR_5: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_6: YARA rule connectback2_pl / Semi-Auto-generated - file connectback2.pl.txt SUBSCORE_6: 75 REF_6: - SIGTYPE_6: internal SIGCLASS_6: YARA Rule MATCHED_6 ConnectBack Backdoor at 0x7eeb2eba95c2 RULEDATE_6: 1970-01-01 TAGS_6: T1505_003, WEBSHELL RULENAME_6: connectback2_pl AUTHOR_6: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_7: YARA rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php / Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt SUBSCORE_7: 75 REF_7: - SIGTYPE_7: internal SIGCLASS_7: YARA Rule MATCHED_7 SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend at 0x7eeb2ebb68aa RULEDATE_7: 1970-01-01 TAGS_7: T1505_003, WEBSHELL RULENAME_7: SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php AUTHOR_7: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_8: YARA rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php / Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt SUBSCORE_8: 75 REF_8: - SIGTYPE_8: internal SIGCLASS_8: YARA Rule MATCHED_8 Safe0ver at 0x7eeb2ea4a4fd RULEDATE_8: 1970-01-01 TAGS_8: SCRIPT, T1505_003, WEBSHELL RULENAME_8: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php AUTHOR_8: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_9: YARA rule SUSP_PowerShell_Caret_Obfuscation_2 / Detects powershell keyword obfuscated with carets SUBSCORE_9: 75 REF_9: Internal Research SIGTYPE_9: internal SIGCLASS_9: YARA Rule MATCHED_9 p^o^wer^sh^ell at 0x7eeb6b71fd06 RULEDATE_9: 2019-07-20 TAGS_9: OBFUS, SCRIPT, SUSP, T1059_001 RULENAME_9: SUSP_PowerShell_Caret_Obfuscation_2 AUTHOR_9: Florian Roth (Nextron Systems) REASON_10: YARA rule SUSP_Double_Base64_Encoded_Executable / Detects an executable that has been encoded with base64 twice SUBSCORE_10: 75 REF_10: https://twitter.com/TweeterCyber/status/1189073238803877889 SIGTYPE_10: internal SIGCLASS_10: YARA Rule MATCHED_10 VFZxUUFBT at 0x7eeb5d2eb740 RULEDATE_10: 2019-10-29 TAGS_10: SUSP, T1132_001 RULENAME_10: SUSP_Double_Base64_Encoded_Executable AUTHOR_10: Florian Roth (Nextron Systems) REASON_11: YARA rule PHANTASMA_php / Semi-Auto-generated - file PHANTASMA.php.txt SUBSCORE_11: 75 REF_11: - SIGTYPE_11: internal SIGCLASS_11: YARA Rule MATCHED_11 [*] Spawning Shell at 0x7eeb2eba9d61 Cha0s at 0x7eeb2ea669f9 RULEDATE_11: 1970-01-01 TAGS_11: T1505_003, WEBSHELL RULENAME_11: PHANTASMA_php AUTHOR_11: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_12: YARA rule Hunting_Rule_ShikataGaNai / - SUBSCORE_12: 75 REF_12: https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html SIGTYPE_12: internal SIGCLASS_12: YARA Rule MATCHED_12 "\xd9t$\xf4\xb8\"\xd2'z)\xc9\xb1K[1C\x1a" at 0x7eeb3971bc3c RULEDATE_12: 1970-01-01 RULENAME_12: Hunting_Rule_ShikataGaNai AUTHOR_12: Steven Miller REASON_13: YARA rule DTool_Pro_php / Semi-Auto-generated - file DTool Pro.php.txt SUBSCORE_13: 75 REF_13: - SIGTYPE_13: internal SIGCLASS_13: YARA Rule MATCHED_13 r3v3ng4ns\nDigite at 0x7eeb2ebb5505 RULEDATE_13: 1970-01-01 TAGS_13: T1505_003, WEBSHELL RULENAME_13: DTool_Pro_php AUTHOR_13: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_14: YARA rule Cobaltbaltstrike_Payload_Encoded / Detects CobaltStrike payloads SUBSCORE_14: 75 REF_14: https://github.com/avast/ioc SIGTYPE_14: internal SIGCLASS_14: YARA Rule MATCHED_14 fc4883e4f0e8c8000000415141505251 at 0x7eeb65c2f20e RULEDATE_14: 1970-01-01 TAGS_14: COBALTSTRIKE, S0154, T1550_002 RULENAME_14: Cobaltbaltstrike_Payload_Encoded AUTHOR_14: Avast Threat Intel Team REASON_15: YARA rule APT_APT28_drovorub_unique_network_comms_strings / Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based SUBSCORE_15: 75 REF_15: https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/ SIGTYPE_15: internal SIGCLASS_15: YARA Rule MATCHED_15 action at 0x5b404d4b7994 auth.commit at 0x7eeb71457ff0 auth.hello at 0x7eeb7144ff62 auth.login at 0x7eeb71455d32 auth.pending at 0x7eeb71455eba client_id at 0x7eeb5c4ebae0 client_login at 0x7eeb396b8d48 client_pass at 0x7eeb396b8d6a clientid at 0x7eeb714565da clientkey_base64 at 0x7eeb714567a2 file_list_request at 0x7eeb714571c4 module_list_request at 0x7eeb71457c18 monitor at 0x7eeb2e1772d4 net_list_request at 0x7eeb71457e22 server finished at 0x7eeb5b68bc46 serverid at 0x7eeb6aca3b8a tunnel at 0x7eeb2df919a3 RULEDATE_15: 2020-08-13 TAGS_15: APT, G0007, RUSSIA RULENAME_15: APT_APT28_drovorub_unique_network_comms_strings AUTHOR_15: NSA / FBI REASON_16: YARA rule webshell_c99_locus7s_c99_w4cking_xxx / Web Shell SUBSCORE_16: 70 REF_16: - SIGTYPE_16: internal SIGCLASS_16: YARA Rule MATCHED_16 $res = @shell_exec($cfe); at 0x7eeb2eb69bba $res = @ob_get_contents(); at 0x7eeb2eb69c19 @exec($cfe,$res); at 0x7eeb2eb69a71 RULEDATE_16: 2014-01-28 TAGS_16: SCRIPT, T1505_003, WEBSHELL RULENAME_16: webshell_c99_locus7s_c99_w4cking_xxx AUTHOR_16: Florian Roth (Nextron Systems) REASON_17: YARA rule EditServer / Disclosed hacktool set (old stuff) - file EditServer.exe SUBSCORE_17: 60 REF_17: - SIGTYPE_17: internal SIGCLASS_17: YARA Rule MATCHED_17 WinEggDrop Shell Congirator at 0x7eeb40c28189 RULEDATE_17: 2014-11-23 TAGS_17: HKTL RULENAME_17: EditServer AUTHOR_17: Florian Roth (Nextron Systems) REASON_18: YARA rule HackTool_Samples / Hacktool SUBSCORE_18: 50 REF_18: - SIGTYPE_18: internal SIGCLASS_18: YARA Rule MATCHED_18 WPE-C1467211-7C89-49c5-801A-1D048E4014C4 at 0x7eeb3b9c2ea4 clearlogs [\\computername at 0x7eeb3b68fd90 RULEDATE_18: 1970-01-01 TAGS_18: HKTL RULENAME_18: HackTool_Samples AUTHOR_18: Undefined REASONS_COUNT: 18 FILE_1: /usr/bin/clamd EXISTS_1: yes TYPE_1: ELF SIZE_1: 202784 MD5_1: 22015cf434970e1a01049f7042f96ab4 SHA1_1: 848a49c96a4e9665bca2ef6cbb950df163d7afd1 SHA256_1: 8b880a7fdbbb88caad19bc8b4f48b392a9fd62205eea021b8fa136713a868364 FIRSTBYTES_1: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_1: root GROUP_1: root FILE_2: /usr/lib/systemd/systemd EXISTS_2: yes TYPE_2: ELF SIZE_2: 100560 MD5_2: 80865b96a49686b2b25c901bf2e71feb SHA1_2: c1354e27304011b60b8ec02b2305088119e01027 SHA256_2: 95a6795b21f6211638eea1a0e815dd87708bb75b553ed759f941689c6790ed69 FIRSTBYTES_2: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_2: root GROUP_2: root SCORE: 94 Now, one would assume that Thorlite is reading these from process memory from clamd's own rules it has loaded into memory. But, I'm unable to find anything on disk that would support that. Note that this is happening across machines, and is consistently hitting for at least the Cobalt and DROVORUB YARA detections each time. I've also been unable to replicate these detections remotely with different acquaintances on Ubuntu, Arch, or any other Linux distro. The SHA256 of the clamd executable exists somewhere, as it was uploaded to VT last month (honestly I think by me), but I can no longer find a file that matches that said SHA256 on disk, even though it keeps popping up in the scans. Is there any way to prove or disprove these detection's as legitimate?? Again, I cannot find these signatures, including the SHA256's, MD5's or SHA1's anywhere else besides process memory. Thank you, Andrew Sent from Proton Mail Android
publickey - andrew.carlisle1904@mrkd1904.com - 0x861ADB2E.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
