[Community-sigs] new sig for Win.Worm.Njrat/Bladabindi

Douglas Goddard dgoddard at sourcefire.com
Mon Dec 8 10:41:12 EST 2014


Added for FP check. Thank you!

On Mon, Dec 8, 2014 at 7:50 AM, <andreisaygo at live.ie> wrote:

> Signature:
>
> Win.Worm.Njrat;Target:1;(0|1|2|3|4)>3;0A06161F2E9D06171F749D06181F6D9D06191F709D06;2e00640064006e0073002e006e0065007400;2f006b002000700069006e00670020003000200026002000640065006c0020002200;6e00650074007300680020006600690072006500770061006c006c002000610064006400200061006c006c006f00770065006400700072006f006700720061006d00;2e006c006e006b0000??57005300630072006900700074002e005300680065006c006c00
>
> Hashes:
> MD5: 776d292d967e7dc6a3fb84cdb0e26017
> SHA1: a5771318e39c4bd281caee5fbfb3616ac2ac0cf5
> SHA256: fd2fe31018ee8f4a45402528b6e3c6bf481cc2ffb2f9465f6b0c84dcfaf16399
>
> PWStealer that can spread via USB drives.
> Sig0:
> Appends to a variable (LogsPath)  the ".tmp" string.
> Sig1:
> .ddns.net
> Sig2:
> /k ping.exe 0 del "
> Sig3:
> netsh firewall add allowed program
> Sig4:
> .lnk WScript.Shell
>
>
> Regards,
> Andrei Saygo
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



More information about the Community-sigs mailing list