[Community-sigs] new sig Win.Downloader.Kuluoz

andreisaygo at live.ie andreisaygo at live.ie
Fri Dec 12 10:50:56 EST 2014


Sig (on the obfuscator):
Win.Downloader.Kuluoz.2:1:*:FF15????????EB??{3-5}C38B65E8*6802010000FF*C745FCFEFFFFFF*C645????C645????C645????C645????C645????C645????8D


FF15????????            call       dword [Heap...] ; will crash here
EB??                            jmp        0xf1123b6

//(skip 3-5 bytes) 
33C0                         xor        eax, eax
40                              inc        eax
or
B8 01 000000	          mov eax, 1
*C3                              ret        
8B65E8                      mov        esp, dword [ss:ebp+0xffffffe8]
6802010000               push       0x102 ; compression format
FF 				   call  ; RtlDecompressBuffer
* C745FCFEFFFFFF     mov        dword [ss:ebp+0xfffffffc], 0xfffffffe ; XREF=sub_f112257+288


//fill string with API name
C645????                        mov        byte [ss:ebp+0xffffffdf], 
C645????                        mov        byte [ss:ebp+0xffffffdf], 
C645????                        mov        byte [ss:ebp+0xffffffdf], 
C645????                        mov        byte [ss:ebp+0xffffffe0], 
C645????                        mov        byte [ss:ebp+0xffffffe1], 
C645????                        mov        byte [ss:ebp+0xffffffe2], 
8D	                             lea        eax, dword [ss:ebp+0xffffffd4]

MD5: d513bc67e078cd1bf8964e0abca63935
SHA1: 95ef6e886594d081c95a97d314ee4e68a076ec1f
SHA256: 6cc8cd11080b3784377f3340b2eb8243bb7ee3a2650dbf2d46367365c4352f9c

Regards,
Andrei Saygo 		 	   		  


More information about the Community-sigs mailing list