[Community-sigs] new sig: Win.VirTool.Injector for Kuluoz
andreisaygo at live.ie
andreisaygo at live.ie
Thu Nov 27 06:18:49 EST 2014
Signature:
Win.VirTool.Injector;Target:1;0&(1&2);8A88????????008C07????0000403D????000072EB;BE????????8DBD??FFFFFFA5A5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF65C685??FFFFFF61C685??FFFFFF47C685??FFFFFF54C685??FFFFFF43FF15;BE????????8DBD??FFFFFFA5A5A58D85??FFFFFFA450FF35????????C685??FFFFFF52C685??FFFFFF75C685??FFFFFF54C685??FFFFFF72FF15
Hashes:
MD5: d20da2e017d38cc72b606d003478bf30
SHA1: eb4ba96030b66fc75e7286fd13a36477310c9953
SHA256: 2998f372f9846f53fbb41b494c2e6b0e5ec77576ef26fd188e37e081f37d81e2
Sig0 (decryption routine):
mov cl, ds:byte_F114280[eax]
add [edi+eax+7530h], cl
inc eax
cmp eax, 347Ch
jb short loc_F1122F7
Sig1 :
mov esi, offset aUetphrnndmonte ; "UetPhrNNdMontext"
lea edi, [ebp-98h]
movsd
movsd
movsd
movsd
lea eax, [ebp-98h]
movsb
push eax
push dword_F11A6B4
mov [ebp+var_92], 'e'
mov [ebp+var_91], 'a'
mov byte ptr [ebp+var_98], 'G'
mov byte ptr [ebp+var_98+3], 'T'
mov [ebp+var_8F], 'C'
call dword_F11A6C4 ; getprocaddress for GetThreadContext
Sig2:
mov esi, offset aJesemenhxead ; "jesEmeNhXead"
lea edi, [ebp-0B8h]
movsd
movsd
movsd
lea eax, [ebp-0B8h]
movsb
push eax
push dword_F11A6B4
mov [ebp+var_B8], 52h
mov byte ptr [ebp+var_B7+2], 75h
mov [ebp+var_B2], 54h
mov [ebp+var_B0], 72h
call dword_F11A6C4 ; getproaddress for ResumeThread
Regards,Andrei Saygo
More information about the Community-sigs
mailing list