[Community-sigs] new sig Win.Downloader.Dalexis
Shaun Hurley
shahurle at sourcefire.com
Tue Jan 27 14:04:35 EST 2015
Andrei,
I've added this signature to the queue for false positive testing.
As soon as it comes back we will publish the signature.
Thank you for your submission,
Shaun Hurley
On Tue, Jan 27, 2015 at 10:32 AM, <andreisaygo at live.ie> wrote:
> Sig:
>
> Win.Downloader.Dalexis;Target:1;(0|1|2)>2,2;FF15????400083F8000F85????0000823D????4000010F82????000090909090;89E68B????2040005?68????4000FF2690909090;6C6F6B697461722E706462
>
> Hashes:
> MD5: 37a30abf6c798807ab896e7771ae130f
> SHA1: 5b25135c60c03be5449b3c7b1c8bfc6bcd74756e
> SHA256: f6c16ac3e0c062c3520f35016d4ece7db80ff724291f49a9b16cec3feb0e7c89
>
> Sig0:
> .text:00401198 FF 15 ?? ?? 40 00 call ds:lstrcmpiA
> .text:0040119E 83 F8 00 cmp eax, 0
> .text:004011A1 0F 85 ?? ?? 00 00 jnz loc_4012F0
> .text:004011A7 82 3D ?? ?? 40 00 01 cmp byte ptr dword_403215, 1
> .text:004011AE 0F 82 ?? ?? 00 00 jb loc_401E9D
> .text:004011B4 90 nop
> .text:004011B5 90 nop
> .text:004011B6 90 nop
> .text:004011B7 90 nop
>
> Sig1:
> .text:004017F8 89 E6 mov esi, esp
> .text:004017FA 8B ?? ?? 20 40 00 mov edx,
> ds:GetModuleHandleA
> .text:00401800 5? push edx
> .text:00401801 68 ?? ?? 40 00 push offset loc_401773
> .text:00401806 FF 26 jmp dword ptr
> [esi]
> .text:00401808 90 90 90 90
>
> Sig2:
> lokitar.pdb
>
> Regards,
> Andrei Saygo
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list