[Community-sigs] new Kuluoz sigs (dropper/injector and backdoor)

andreisaygo at live.ie andreisaygo at live.ie
Fri Dec 19 09:21:30 EST 2014 

Win.Dropper.Kuluoz;Target:1;(0|1|2|3)>3,3;506A008B4D08516A1E68B40000006A0F6A14680000004068??????0068??????006A00FF15??????00;526A008B4508506A1E68B40000006A326A14680400004068??????0068??????006A00FF15??????00;68C80000006A6868110100008B4D0851FF15??????00;5300650072006100660069006D00000045006C00690074004500

Win.Backdoor.Kuluoz;Target:1;0|(1&2)|3;2338302E37382E3234372E3134363A343433233138352E33312E3136312E31333A3434332334362E3136352E3232382E3139363A343433233138352E32302E3232352E35383A3434332339312E3233372E3139382E39333A343433233139342E35382E39372E3232313A3434332338332E3137322E382E36313A34343323;817D0C443322117507C605????????01;5C53797374656D33325C737663686F73742E657865*5C43757272656E7456657273696F6E;67657466696C650072756E5F6D656D0072756E5F66696C65*72616E646F6D5F636D64


Win.Dropper.Kuluoz---------------------------
Sig0:
50                           push         eax
6A00                       push         0
8B4D08                   mov          ecx,[ebp][8]
51                            push         ecx
6A1E                      push         01E
68B4000000          push         0000000B4
6A0F                      push         00F
6A14                      push         014
6800000040          push         040000000
68E4D64000         push         00040D6E4
6868074100          push         000410768
6A00                      push         0
FF1548D14000      call         CreateWindowExW

Sig1: 
52                           push         edx
6A00                       push         0
8B4508                   mov          eax,[ebp][8]
50                            push         eax
6A1E                       push         01E
68B4000000           push         0000000B4
6A32                       push         032
6A14                       push         014
6804000040           push         040000004
6888074100           push         000410788
6854074100           push         000410754
6A00                       push         0
FF1548D14000       call         CreateWindowExW

Sig2:
68C8000000           push         0000000C8
6A68                       push         068
6811010000           push         000000111
8B4D08                  mov          ecx,[ebp][8]
51                           push         ecx
FF153CD14000     call         SendMessageA

Sig3: 
S.e.r.a.f.i.m...E.l.i.t.E...


Win.Backdoor.Kuluoz-----------------------------
Sig0:
#80.78.247.146:443
#185.31.161.13:443
#46.165.228.196:443
#185.20.225.58:443
#91.237.198.93:443
#194.58.97.221:443
#83.172.8.61:443

Sig1:
81 7D 0C 44 33 22 11        cmp     [ebp+arg_4], 11223344h
75 07                                   jnz     short loc_9504E5E
C6 05 ?? ?? ?? ?? 01         mov     byte_9506250, 1

Sig2:
\System32\svchost.exe*\CurrentVersion

Sig3:
getfile run_mem run_file random_cmd


Win.Dropper.Kuluoz
MD5: 64a270392b4d987eba1990baa7e3ebb6
SHA1: 87bf525408bcb02808113de26130bb36a1ad3cc5
SHA256: 89ecff8e6c1d30429a026ad8ff800a9da9031f91c683fbbd3d5ba7aaf6490ac2


Win.Backdoor.Kuluoz
MD5: 3970826f0cc0eb986e5d870cc7794bd1
SHA1: 20edb85975b7e4d0cc4e280ff6e553768d207001
SHA256: f76bfd77e6de9496210de7699ad985dd4274cf37c3b1c6dfad215b44583b1a14


Regards,
Andrei Saygo

More information about the Community-sigs mailing list