[Community-sigs] new sig Win.Downloader.Kuluoz
andreisaygo at live.ie
andreisaygo at live.ie
Fri Dec 12 10:50:56 EST 2014
Sig (on the obfuscator):
Win.Downloader.Kuluoz.2:1:*:FF15????????EB??{3-5}C38B65E8*6802010000FF*C745FCFEFFFFFF*C645????C645????C645????C645????C645????C645????8D
FF15???????? call dword [Heap...] ; will crash here
EB?? jmp 0xf1123b6
//(skip 3-5 bytes)
33C0 xor eax, eax
40 inc eax
or
B8 01 000000 mov eax, 1
*C3 ret
8B65E8 mov esp, dword [ss:ebp+0xffffffe8]
6802010000 push 0x102 ; compression format
FF call ; RtlDecompressBuffer
* C745FCFEFFFFFF mov dword [ss:ebp+0xfffffffc], 0xfffffffe ; XREF=sub_f112257+288
//fill string with API name
C645???? mov byte [ss:ebp+0xffffffdf],
C645???? mov byte [ss:ebp+0xffffffdf],
C645???? mov byte [ss:ebp+0xffffffdf],
C645???? mov byte [ss:ebp+0xffffffe0],
C645???? mov byte [ss:ebp+0xffffffe1],
C645???? mov byte [ss:ebp+0xffffffe2],
8D lea eax, dword [ss:ebp+0xffffffd4]
MD5: d513bc67e078cd1bf8964e0abca63935
SHA1: 95ef6e886594d081c95a97d314ee4e68a076ec1f
SHA256: 6cc8cd11080b3784377f3340b2eb8243bb7ee3a2650dbf2d46367365c4352f9c
Regards,
Andrei Saygo
More information about the Community-sigs
mailing list