[Community-sigs] new sig: Win.VirTool.Injector for Kuluoz
Douglas Goddard
dgoddard at sourcefire.com
Mon Dec 1 10:22:07 EST 2014
Submitted:
Win.Injector.Kulouz;Engine:51-255,Target:1;0&1&2;8A88????????008C07????0000403D????000072EB;BE????????8DBD??FFFFFFA5A5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF65C685??FFFFFF61C685??FFFFFF47C685??FFFFFF54C685??FFFFFF43FF15;BE????????8DBD??FFFFFFA5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF52C685??FFFFFF75C685??FFFFFF54C685??FFFFFF72FF15
To sample:
868171C72E7B60EA7ECE5C3C5D808298C6FD300CB94EF6E155CFF0867085CDDD
For FP testing. Will follow up when published.
On Thu, Nov 27, 2014 at 6:18 AM, <andreisaygo at live.ie> wrote:
> Signature:
>
> Win.VirTool.Injector;Target:1;0&(1&2);8A88????????008C07????0000403D????000072EB;BE????????8DBD??FFFFFFA5A5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF65C685??FFFFFF61C685??FFFFFF47C685??FFFFFF54C685??FFFFFF43FF15;BE????????8DBD??FFFFFFA5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF52C685??FFFFFF75C685??FFFFFF54C685??FFFFFF72FF15
>
> Hashes:
> MD5: d20da2e017d38cc72b606d003478bf30
> SHA1: eb4ba96030b66fc75e7286fd13a36477310c9953
> SHA256: 2998f372f9846f53fbb41b494c2e6b0e5ec77576ef26fd188e37e081f37d81e2
>
> Sig0 (decryption routine):
> mov cl, ds:byte_F114280[eax]
> add [edi+eax+7530h], cl
> inc eax
> cmp eax, 347Ch
> jb short loc_F1122F7
>
>
>
> Sig1 :
> mov esi, offset aUetphrnndmonte ; "UetPhrNNdMontext"
> lea edi, [ebp-98h]
> movsd
> movsd
> movsd
> movsd
> lea eax, [ebp-98h]
> movsb
> push eax
> push dword_F11A6B4
> mov [ebp+var_92], 'e'
> mov [ebp+var_91], 'a'
> mov byte ptr [ebp+var_98], 'G'
> mov byte ptr [ebp+var_98+3], 'T'
> mov [ebp+var_8F], 'C'
> call dword_F11A6C4 ; getprocaddress for GetThreadContext
>
> Sig2:
> mov esi, offset aJesemenhxead ; "jesEmeNhXead"
> lea edi, [ebp-0B8h]
> movsd
> movsd
> movsd
> lea eax, [ebp-0B8h]
> movsb
> push eax
> push dword_F11A6B4
> mov [ebp+var_B8], 52h
> mov byte ptr [ebp+var_B7+2], 75h
> mov [ebp+var_B2], 54h
> mov [ebp+var_B0], 72h
> call dword_F11A6C4 ; getproaddress for ResumeThread
>
> Regards,Andrei Saygo
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list