[Community-sigs] new sig: Win.Downloader.Upatre
andreisaygo at live.ie
andreisaygo at live.ie
Sun Mar 29 07:04:37 EDT 2015
Signature:
Win.Downloader.Upatre;Target:1;(0|1|2)>1,2;8BEC8BF4BF01FF0000663BF70F8707000000CCFFE2;6A5C8F04386A15596A00BA00????0083EA??52BA6C6C000052BA61702E6452BA325C716352BA74656D3352BA5C73797352;8B10FF10605333C333D833C35B33C905??000000FF1061
Hashes:
MD5: 6b6e3d3fde233fe75f64b517f2351d97
SHA1: 328ad79d53cd3992e3b9a14a815f37d096ef708b
SHA256: 7db0da727b6a2f1b135959aefbc260048c06f2d4ae5faf13ac57c9fe7ad153d5
Sig0:
8B EC mov ebp, esp
8B F4 mov esi, esp
BF 01 FF 00 00 mov edi, 0FF01h
66 3B F7 cmp si, di
0F 87 07 00 00 00 ja loc_401031
CC int 3
FF E2 jmp edx
Sig1:
6A 5C push 5Ch
8F 04 38 pop dword ptr [eax+edi]
6A 15 push 15h
59 pop ecx
6A 00 push 0
BA 00 28 1D 00 mov edx, 1D2800h
83 EA 01 sub edx, 1
52 push edx
BA 6C 6C 00 00 mov edx, 6C6Ch
52 push edx
BA 61 70 2E 64 mov edx, 642E7061h
52 push edx
BA 32 5C 71 63 mov edx, 63715C32h
52 push edx
BA 74 65 6D 33 mov edx, 336D6574h
52 push edx
BA 5C 73 79 73 mov edx, 7379735Ch
52 push edx ; \system32\qcap.dll
Sig2:
8B 10 mov edx, [eax]
FF 10 call dword ptr [eax]
60 pusha
53 push ebx
33 C3 xor eax, ebx
33 D8 xor ebx, eax
33 C3 xor eax, ebx
5B pop ebx
33 C9 xor ecx, ecx
05 B0 00 00 00 add eax, 0B0h
FF 10 call dword ptr [eax]
61 popa
Regards,
Andrei Saygo
More information about the Community-sigs
mailing list