[Community-sigs] new Kuluoz sigs (dropper/injector and backdoor)

Shaun Hurley shahurle at sourcefire.com
Fri Dec 19 11:08:56 EST 2014 

Andrei,

These signatures have been submitted for FP testing.

Thank you,
Shaun Hurley

On Fri, Dec 19, 2014 at 9:21 AM, <andreisaygo at live.ie> wrote:

>
> Win.Dropper.Kuluoz;Target:1;(0|1|2|3)>3,3;506A008B4D08516A1E68B40000006A0F6A14680000004068??????0068??????006A00FF15??????00;526A008B4508506A1E68B40000006A326A14680400004068??????0068??????006A00FF15??????00;68C80000006A6868110100008B4D0851FF15??????00;5300650072006100660069006D00000045006C00690074004500
>
>
> Win.Backdoor.Kuluoz;Target:1;0|(1&2)|3;2338302E37382E3234372E3134363A343433233138352E33312E3136312E31333A3434332334362E3136352E3232382E3139363A343433233138352E32302E3232352E35383A3434332339312E3233372E3139382E39333A343433233139342E35382E39372E3232313A3434332338332E3137322E382E36313A34343323;817D0C443322117507C605????????01;5C53797374656D33325C737663686F73742E657865*5C43757272656E7456657273696F6E;67657466696C650072756E5F6D656D0072756E5F66696C65*72616E646F6D5F636D64
>
>
> Win.Dropper.Kuluoz---------------------------
> Sig0:
> 50                           push         eax
> 6A00                       push         0
> 8B4D08                   mov          ecx,[ebp][8]
> 51                            push         ecx
> 6A1E                      push         01E
> 68B4000000          push         0000000B4
> 6A0F                      push         00F
> 6A14                      push         014
> 6800000040          push         040000000
> 68E4D64000         push         00040D6E4
> 6868074100          push         000410768
> 6A00                      push         0
> FF1548D14000      call         CreateWindowExW
>
> Sig1:
> 52                           push         edx
> 6A00                       push         0
> 8B4508                   mov          eax,[ebp][8]
> 50                            push         eax
> 6A1E                       push         01E
> 68B4000000           push         0000000B4
> 6A32                       push         032
> 6A14                       push         014
> 6804000040           push         040000004
> 6888074100           push         000410788
> 6854074100           push         000410754
> 6A00                       push         0
> FF1548D14000       call         CreateWindowExW
>
> Sig2:
> 68C8000000           push         0000000C8
> 6A68                       push         068
> 6811010000           push         000000111
> 8B4D08                  mov          ecx,[ebp][8]
> 51                           push         ecx
> FF153CD14000     call         SendMessageA
>
> Sig3:
> S.e.r.a.f.i.m...E.l.i.t.E...
>
>
> Win.Backdoor.Kuluoz-----------------------------
> Sig0:
> #80.78.247.146:443
> #185.31.161.13:443
> #46.165.228.196:443
> #185.20.225.58:443
> #91.237.198.93:443
> #194.58.97.221:443
> #83.172.8.61:443
>
> Sig1:
> 81 7D 0C 44 33 22 11        cmp     [ebp+arg_4], 11223344h
> 75 07                                   jnz     short loc_9504E5E
> C6 05 ?? ?? ?? ?? 01         mov     byte_9506250, 1
>
> Sig2:
> \System32\svchost.exe*\CurrentVersion
>
> Sig3:
> getfile run_mem run_file random_cmd
>
>
> Win.Dropper.Kuluoz
> MD5: 64a270392b4d987eba1990baa7e3ebb6
> SHA1: 87bf525408bcb02808113de26130bb36a1ad3cc5
> SHA256: 89ecff8e6c1d30429a026ad8ff800a9da9031f91c683fbbd3d5ba7aaf6490ac2
>
>
> Win.Backdoor.Kuluoz
> MD5: 3970826f0cc0eb986e5d870cc7794bd1
> SHA1: 20edb85975b7e4d0cc4e280ff6e553768d207001
> SHA256: f76bfd77e6de9496210de7699ad985dd4274cf37c3b1c6dfad215b44583b1a14
>
>
> Regards,
> Andrei Saygo
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list