[Community-sigs] new sig Win.Downloader.Dalexis

Shaun Hurley shahurle at sourcefire.com
Wed Jan 28 16:07:21 EST 2015


Andrei,

Sig: Win.Downloader.Dalexis  has been published.

Thank you for your submission,
Shaun Hurley

On Tue, Jan 27, 2015 at 10:32 AM, <andreisaygo at live.ie> wrote:

> Sig:
>
> Win.Downloader.Dalexis;Target:1;(0|1|2)>2,2;FF15????400083F8000F85????0000823D????4000010F82????000090909090;89E68B????2040005?68????4000FF2690909090;6C6F6B697461722E706462
>
> Hashes:
> MD5: 37a30abf6c798807ab896e7771ae130f
> SHA1: 5b25135c60c03be5449b3c7b1c8bfc6bcd74756e
> SHA256: f6c16ac3e0c062c3520f35016d4ece7db80ff724291f49a9b16cec3feb0e7c89
>
> Sig0:
> .text:00401198 FF 15 ?? ?? 40 00            call    ds:lstrcmpiA
> .text:0040119E 83 F8 00                           cmp     eax, 0
> .text:004011A1 0F 85 ?? ?? 00 00            jnz     loc_4012F0
> .text:004011A7 82 3D ?? ?? 40 00 01       cmp     byte ptr dword_403215, 1
> .text:004011AE 0F 82 ?? ?? 00 00            jb      loc_401E9D
> .text:004011B4 90                                      nop
> .text:004011B5 90                                      nop
> .text:004011B6 90                                      nop
> .text:004011B7 90                                      nop
>
> Sig1:
> .text:004017F8 89 E6                                  mov     esi, esp
> .text:004017FA 8B ?? ?? 20 40 00              mov     edx,
> ds:GetModuleHandleA
> .text:00401800 5?                                        push    edx
> .text:00401801 68 ?? ?? 40 00                    push    offset loc_401773
> .text:00401806 FF 26                                   jmp     dword ptr
> [esi]
> .text:00401808 90 90 90 90
>
> Sig2:
> lokitar.pdb
>
> Regards,
> Andrei Saygo
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>


More information about the Community-sigs mailing list