[Community-sigs] new sig: Win.Dropper.Agent

Wed Dec 17 06:30:59 EST 2014

Sig:
Win.Dropper.Agent;Target:1;(0|1|2|3|4|5)>3,3;66390174084066833C410075F8;FF15????????813E6366686475E0;4D69635F4E65745F43464724;5C737663686F7374642E657865;5C4E73686B5C7472756E6B5C436F64655C5261696E626F77;72756E004D006900630072006F0073006F00660074005C00410064006F00620065005C00740065006D0070

Hashes:
MD5: 55945e22c0f49c788ba6d2d5cde9897a
SHA1: 65558148cdaea77b20b3b6eb506b626b819a8a47
SHA256: b6818ce4e928f5dff0b74c27d75628560ead5bf03be830ed73fbcd1641eab9b4


//Sig0
//get unicode string length
663901                      cmp        word [ds:ecx], ax  
7408                          je         0x404008
40                              inc        eax                         
66833C4100             cmp        word [ds:ecx+eax*2], 0x0
75F8                          jne        0x404000


//Sig1
FF1518D04000         call       dword [ds:imp_CloseHandle]
813E63666864          cmp        dword [ds:esi], 'cfhd'
75E0                          jne        0x402a02

//Sig2: Mic_Net_CFG$
4D69635F4E65745F43464724

//Sig3: \svchostd.exe
5C737663686F7374642E657865

//Sig4: \Nshk\trunk\Code\Rainbow
5C4E73686B5C7472756E6B5C436F64655C5261696E626F77

//Sig5: runMicrosoft\Adobe\temp
72756E004D006900630072006F0073006F00660074005C00410064006F00620065005C00740065006D0070

Regards,
Andrei Saygo