[Community-sigs] new sig: Win.Downloader.Upatre
Douglas Goddard
dgoddard at sourcefire.com
Fri Dec 19 11:10:08 EST 2014
This has passed FP testing and will be published today. Thank you!
On Fri, Dec 19, 2014 at 5:48 AM, <andreisaygo at live.ie> wrote:
>
> Sig:
>
> Win.Downloader.Upatre;Target:1;0|1;60B8??00000033DBB80000000003C46683C3??68??00000059C1C1??668BF0663BF10F87??000000;68447573658A5C0CFF8BD603D1885C10FF83E90185C975ED
>
> Sig0:
> 60 pushad
> B864000000 mov eax,000000064
> 33DB xor ebx,ebx
> B800000000 mov eax,0
> 03C4 add eax,esp
> 6683C301 add bx,1
> 68FF000000 push 0000000FF
> 59 pop ecx
> C1C108 rol ecx,8
> 668BF0 mov si,ax
> 663BF1 cmp si,cx
> 0F8715000000 ja .00040103D
>
>
> //check Duser.dll
> 6844757365 push 'esuD'
> 8A5C0CFF mov bl, [esp+ecx-1]
> 8BD6 mov edx, esi
> 03D1 add edx, ecx
> 885C10FF mov [eax+edx-1], bl
> 83E901 sub ecx, 1
> 85C9 test ecx, ecx
> 75ED jnz short loc_401261
>
>
> MD5: bc3d9392e0a96fd2c0b480b6ae43f3af
> SHA1: d11396bda23845e4db91b1735fde3b4ea1492bc0
> SHA256: d7fcd215f8d3e74be7f9d76c72c67dc2027e0f23c6de1a2ab07b508c6b9a536f
>
> MD5: f130b4c9581f47752a681a26a075dd76
> SHA1: 009260394b204bcd3f91fbe625ee3f56c18ac6ef
> SHA256: ef0717bce91c868c367b3bbac22a28fe4ec72a230ec96ae646cb76a850ec6358
>
> Regards,
> Andrei Saygo
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list