[Community-sigs] new sig: Win.VirTool.Injector for Kuluoz

Douglas Goddard dgoddard at sourcefire.com
Mon Dec 1 10:22:07 EST 2014


Submitted:

Win.Injector.Kulouz;Engine:51-255,Target:1;0&1&2;8A88????????008C07????0000403D????000072EB;BE????????8DBD??FFFFFFA5A5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF65C685??FFFFFF61C685??FFFFFF47C685??FFFFFF54C685??FFFFFF43FF15;BE????????8DBD??FFFFFFA5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF52C685??FFFFFF75C685??FFFFFF54C685??FFFFFF72FF15

To sample:

868171C72E7B60EA7ECE5C3C5D808298C6FD300CB94EF6E155CFF0867085CDDD

For FP testing. Will follow up when published.


On Thu, Nov 27, 2014 at 6:18 AM, <andreisaygo at live.ie> wrote:

> Signature:
>
> Win.VirTool.Injector;Target:1;0&(1&2);8A88????????008C07????0000403D????000072EB;BE????????8DBD??FFFFFFA5A5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF65C685??FFFFFF61C685??FFFFFF47C685??FFFFFF54C685??FFFFFF43FF15;BE????????8DBD??FFFFFFA5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF52C685??FFFFFF75C685??FFFFFF54C685??FFFFFF72FF15
>
> Hashes:
> MD5:    d20da2e017d38cc72b606d003478bf30
> SHA1:   eb4ba96030b66fc75e7286fd13a36477310c9953
> SHA256: 2998f372f9846f53fbb41b494c2e6b0e5ec77576ef26fd188e37e081f37d81e2
>
> Sig0 (decryption routine):
> mov     cl, ds:byte_F114280[eax]
> add     [edi+eax+7530h], cl
> inc     eax
> cmp     eax, 347Ch
> jb      short loc_F1122F7
>
>
>
> Sig1 :
> mov     esi, offset aUetphrnndmonte ; "UetPhrNNdMontext"
> lea     edi, [ebp-98h]
> movsd
> movsd
> movsd
> movsd
> lea     eax, [ebp-98h]
> movsb
> push    eax
> push    dword_F11A6B4
> mov     [ebp+var_92], 'e'
> mov     [ebp+var_91], 'a'
> mov     byte ptr [ebp+var_98], 'G'
> mov     byte ptr [ebp+var_98+3], 'T'
> mov     [ebp+var_8F], 'C'
> call    dword_F11A6C4   ; getprocaddress for GetThreadContext
>
> Sig2:
> mov     esi, offset aJesemenhxead ; "jesEmeNhXead"
> lea     edi, [ebp-0B8h]
> movsd
> movsd
> movsd
> lea     eax, [ebp-0B8h]
> movsb
> push    eax
> push    dword_F11A6B4
> mov     [ebp+var_B8], 52h
> mov     byte ptr [ebp+var_B7+2], 75h
> mov     [ebp+var_B2], 54h
> mov     [ebp+var_B0], 72h
> call    dword_F11A6C4   ; getproaddress for ResumeThread
>
> Regards,Andrei Saygo
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



More information about the Community-sigs mailing list