[Community-sigs] new sig for Win.Dropper.Necurs

Douglas Goddard dgoddard at sourcefire.com
Wed Dec 3 12:02:56 EST 2014 

Added for FP check, will be published today or tomorrow.

Thank you!

On Wed, Dec 3, 2014 at 11:51 AM, <andreisaygo at live.ie> wrote:

>
> Signature:
>
> Win.Dropper.Necurs;Target:1;0&(1|2);8B45088945F4C645????EB078B45F4408945F40FBE45??8945??*C645??008B45F40FBE000FBE4D??33C8884D??E9????FFFF;C685??FDFFFF94C685??FDFFFFE2C685??FDFFFFCEC685??FDFFFFA6C685??FDFFFF39C685??FDFFFFD5C685??FDFFFF7FC685??FDFFFF5EC685??FDFFFF61C685??FDFFFF52C685??FDFFFFB9;C68570FDFFFF??C68571FDFFFF??C68572FDFFFF??C68573FDFFFF??C68574FDFFFF??C68575FDFFFF??C68576FDFFFF??C68577FDFFFF??C68578FDFFFF??C68579FDFFFF??C6857AFDFFFF??
>
>
>
> Hashes
> MD5: 80e090c484d6fd131baaafbfdbf109b4
> SHA1: eb8760d513e957d7871915877534ce9402737799
> SHA256: a85101aaa1863d119847f1cc8271343d1a911f304641a02af953c17ecdae84d6
>
> Sig0:
> 004023AB 8B 45 08                mov     eax, [ebp+arg_0]   ;eax -
> encrypted string
> 004023AE 89 45 F4                mov     [ebp+var_C], eax
>
> 004023B1 C6 45 ?? ??             mov     [ebp+var_17], 2
> 004023B5 EB 07                   jmp     short loc_4023BE
> 004023B7                         loc_4023B7:
> 004023B7 8B 45 F4                mov     eax, [ebp+var_C]
> 004023BA 40                      inc     eax
> 004023BB 89 45 F4                mov     [ebp+var_C], eax
> 004023BE                         loc_4023BE:
> 004023BE 0F BE 45 ??             movsx   eax, [ebp+var_17]
> 004023C2 89 45 ??                mov     [ebp+var_3C], eax
> (...)
> 004025AA C6 45 ?? 00             mov     [ebp+var_17], 0
> 004025AE 8B 45 F4                mov     eax, [ebp+var_C]
> 004025B1 0F BE 00                movsx   eax, byte ptr [eax]
> 004025B4 0F BE 4D ??             movsx   ecx, [ebp+var_17]
> 004025B8 33 C8                   xor     ecx, eax
> 004025BA 88 4D ??                mov     [ebp+var_17], cl
> 004025BD E9 ?? ?? FF FF          jmp     loc_4023B7
>
>
>
> Sig1 and 2 are the same, just wildcarded either the local vars or the
> written bytes:
> 040325E C6 85 70 FD FF FF 94    mov     byte ptr [ebp-290h], 94h
> 00403265 C6 85 71 FD FF FF E2    mov     byte ptr [ebp-28Fh], 0E2h
> 0040326C C6 85 72 FD FF FF CE    mov     byte ptr [ebp-28Eh], 0CEh
> 00403273 C6 85 73 FD FF FF A6    mov     byte ptr [ebp-28Dh], 0A6h
> 0040327A C6 85 74 FD FF FF 39    mov     byte ptr [ebp-28Ch], 39h
> 00403281 C6 85 75 FD FF FF D5    mov     byte ptr [ebp-28Bh], 0D5h
> 00403288 C6 85 76 FD FF FF 7F    mov     byte ptr [ebp-28Ah], 7Fh
> 0040328F C6 85 77 FD FF FF 5E    mov     byte ptr [ebp-289h], 5Eh
> 00403296 C6 85 78 FD FF FF 61    mov     byte ptr [ebp-288h], 61h
> 0040329D C6 85 79 FD FF FF 52    mov     byte ptr [ebp-287h], 52h
> 004032A4 C6 85 7A FD FF FF B9    mov     byte ptr [ebp-286h], 0B9h
>
> Regards,
> Andrei Saygo
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list