[Community-sigs] new sig: Win.Downloader.Upatre

Mon Mar 30 10:20:27 EDT 2015

This has passed FP check and should be published today. Thank you!

On Sun, Mar 29, 2015 at 7:04 AM, <andreisaygo at live.ie> wrote:

> Signature:
>
> Win.Downloader.Upatre;Target:1;(0|1|2)>1,2;8BEC8BF4BF01FF0000663BF70F8707000000CCFFE2;6A5C8F04386A15596A00BA00????0083EA??52BA6C6C000052BA61702E6452BA325C716352BA74656D3352BA5C73797352;8B10FF10605333C333D833C35B33C905??000000FF1061
>
> Hashes:
> MD5: 6b6e3d3fde233fe75f64b517f2351d97
> SHA1: 328ad79d53cd3992e3b9a14a815f37d096ef708b
> SHA256: 7db0da727b6a2f1b135959aefbc260048c06f2d4ae5faf13ac57c9fe7ad153d5
>
>
> Sig0:
> 8B EC                   mov     ebp, esp
> 8B F4                   mov     esi, esp
> BF 01 FF 00 00          mov     edi, 0FF01h
> 66 3B F7                cmp     si, di
> 0F 87 07 00 00 00       ja      loc_401031
> CC                      int     3
> FF E2                   jmp     edx
>
> Sig1:
> 6A 5C                   push    5Ch
> 8F 04 38                pop     dword ptr [eax+edi]
> 6A 15                   push    15h
> 59                      pop     ecx
> 6A 00                   push    0
> BA 00 28 1D 00          mov     edx, 1D2800h
> 83 EA 01                sub     edx, 1
> 52                      push    edx
> BA 6C 6C 00 00          mov     edx, 6C6Ch
> 52                      push    edx
> BA 61 70 2E 64          mov     edx, 642E7061h
> 52                      push    edx
> BA 32 5C 71 63          mov     edx, 63715C32h
> 52                      push    edx
> BA 74 65 6D 33          mov     edx, 336D6574h
> 52                      push    edx
> BA 5C 73 79 73          mov     edx, 7379735Ch
> 52                      push    edx             ; \system32\qcap.dll
>
> Sig2:
> 8B 10                   mov     edx, [eax]
> FF 10                   call    dword ptr [eax]
> 60                      pusha
> 53                      push    ebx
> 33 C3                   xor     eax, ebx
> 33 D8                   xor     ebx, eax
> 33 C3                   xor     eax, ebx
> 5B                      pop     ebx
> 33 C9                   xor     ecx, ecx
> 05 B0 00 00 00          add     eax, 0B0h
> FF 10                   call    dword ptr [eax]
> 61                      popa
>
> Regards,
> Andrei Saygo
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>