[Community-sigs] new sig for Win.Worm.Njrat/Bladabindi

andreisaygo at live.ie andreisaygo at live.ie
Mon Dec 8 07:50:33 EST 2014


Signature:
Win.Worm.Njrat;Target:1;(0|1|2|3|4)>3;0A06161F2E9D06171F749D06181F6D9D06191F709D06;2e00640064006e0073002e006e0065007400;2f006b002000700069006e00670020003000200026002000640065006c0020002200;6e00650074007300680020006600690072006500770061006c006c002000610064006400200061006c006c006f00770065006400700072006f006700720061006d00;2e006c006e006b0000??57005300630072006900700074002e005300680065006c006c00

Hashes:
MD5: 776d292d967e7dc6a3fb84cdb0e26017
SHA1: a5771318e39c4bd281caee5fbfb3616ac2ac0cf5
SHA256: fd2fe31018ee8f4a45402528b6e3c6bf481cc2ffb2f9465f6b0c84dcfaf16399

PWStealer that can spread via USB drives.
Sig0:
Appends to a variable (LogsPath)  the ".tmp" string.
Sig1:
.ddns.net
Sig2:
/k ping.exe 0 del "
Sig3:
netsh firewall add allowed program
Sig4:
.lnk WScript.Shell


Regards,
Andrei Saygo

 		 	   		  


More information about the Community-sigs mailing list