[Community-sigs] new sig Win.Downloader.Agent
andreisaygo at live.ie
andreisaygo at live.ie
Thu Dec 11 13:16:00 EST 2014
Perfect, thanks ;)
On 11 Dec 2014 18:00, Alain Zidouemba <azidouemba at sourcefire.com> wrote:
Thanks Andrei.
I believe this signature could be rewritten as follows, given the logic of
your original logical signature:
Win.Downloader.Agent:1:*:6A0D68????400068????4000FF15*6A0D68????400068????
4000FF15*6A0D68????400068????4000FF15*6A0D68????400068????
4000FF15*6A0D68????400068????4000FF15*BE0000000056B8FFFFFFFF508D15??
??4000FF12*89E2*FF22
- Alain
On Thu, Dec 11, 2014 at 12:34 PM, <andreisaygo at live.ie> wrote:
> Sig:
>
> Win.Downloader.Agent;Target:1;0;6A0D68????400068????4000FF15*6A0D68????400068????4000FF15*6A0D68????400068????4000FF15*6A0D68????400068????4000FF15*6A0D68????400068????4000FF15*BE0000000056B8FFFFFFFF508D15????4000FF12*89E2*FF22
>
> (this repeats a few times)6A0D push 0xd
> 68????4000 push 0x40408e ;
> 0x40408e
> 68????4000 push 0x404084 ;
> "dFIBVjkRK"
> FF15 call dword [ds:imp_GetVolumePathNameA]
> *
> BE00000000 mov esi, 0x0
> 56 push esi
> B8FFFFFFFF mov eax, 0xffffffff
> 50 push eax
> 8D15????4000 lea edx, dword [ds:0x40407c]
> FF12 call dword [ds:edx]
> *
> 89 e2 mov edx, esp
> *
> FF22 jmp dword [ds:edx]
>
>
> MD5: 4694161d34854c07b50b4880efc2f8da
> SHA1: 3beed25f32177492178bb30144505e00873bdbee
> SHA256: d65babd2e58211751e9b532a0e33b6c76846f7e6f379174547711ee6dbb11289
>
>
> Regards,
> Andrei Saygo
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list