[Community-sigs] new sig Win.Downloader.Dalexis

Shaun Hurley shahurle at sourcefire.com
Tue Jan 27 14:04:35 EST 2015


Andrei,

I've added this signature to the queue for false positive testing.
As soon as it comes back we will publish the signature.

Thank you for your submission,
Shaun Hurley

On Tue, Jan 27, 2015 at 10:32 AM, <andreisaygo at live.ie> wrote:

> Sig:
>
> Win.Downloader.Dalexis;Target:1;(0|1|2)>2,2;FF15????400083F8000F85????0000823D????4000010F82????000090909090;89E68B????2040005?68????4000FF2690909090;6C6F6B697461722E706462
>
> Hashes:
> MD5: 37a30abf6c798807ab896e7771ae130f
> SHA1: 5b25135c60c03be5449b3c7b1c8bfc6bcd74756e
> SHA256: f6c16ac3e0c062c3520f35016d4ece7db80ff724291f49a9b16cec3feb0e7c89
>
> Sig0:
> .text:00401198 FF 15 ?? ?? 40 00            call    ds:lstrcmpiA
> .text:0040119E 83 F8 00                           cmp     eax, 0
> .text:004011A1 0F 85 ?? ?? 00 00            jnz     loc_4012F0
> .text:004011A7 82 3D ?? ?? 40 00 01       cmp     byte ptr dword_403215, 1
> .text:004011AE 0F 82 ?? ?? 00 00            jb      loc_401E9D
> .text:004011B4 90                                      nop
> .text:004011B5 90                                      nop
> .text:004011B6 90                                      nop
> .text:004011B7 90                                      nop
>
> Sig1:
> .text:004017F8 89 E6                                  mov     esi, esp
> .text:004017FA 8B ?? ?? 20 40 00              mov     edx,
> ds:GetModuleHandleA
> .text:00401800 5?                                        push    edx
> .text:00401801 68 ?? ?? 40 00                    push    offset loc_401773
> .text:00401806 FF 26                                   jmp     dword ptr
> [esi]
> .text:00401808 90 90 90 90
>
> Sig2:
> lokitar.pdb
>
> Regards,
> Andrei Saygo
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



More information about the Community-sigs mailing list