[Community-sigs] Win.Trojan.Agent
Xabier Ugarte-Pedrero
xpedrero at sourcefire.com
Thu Aug 18 12:32:59 EDT 2016
Hello Askar,
Your signature has produced a false positive on a tool named
"Bat_To_Exe_Converter.exe":
This tool seems to be a legitimate application to convert Windows bat
scripts to PE binaries. Apparently, this tool generates a binary, and
inserts as resources the contents of the script, as well as the name
of the script. The resulting executable file will write the script to
disk and then execute it.
The reason why the signature is producing a FP for the tool is because
the resulting binaries share a significant amount of code with the
tool.
We cannot create a signature for the code of the resulting binaries
because it would match this application and any legitimate binary it
may produce.
Regards,
-- Xabier
On Wed, Aug 17, 2016 at 8:59 AM, Xabier Ugarte-Pedrero
<xpedrero at sourcefire.com> wrote:
> Hello Askar,
>
> Thank you very much for your submission. Your signature has been
> submitted for FP test and will be published soon.
>
> Regards,
>
> -- Xabier
>
>
> On Tue, Aug 16, 2016 at 1:12 PM, Askar Dyussekeyev
> <dyussekeyev at yandex.kz> wrote:
>> Win.Trojan.Agent:1:8224:8B44240453555633ED85C0577505B8????????8B7C241883FF017D05BF010000008B4C241C8A1133F68BD8EB038D49008A083ACA740484C9750E83C6013BF7740C84C9740C8D580183C001EBE38BE82BEB50E8????????8B7424208BF885FF741156E8????????555350E8????????83C40C5655E8????????85FF8BF0750B555356E8????????83C40C5FC6042E005E5D5BC21000
>>
>> signature looks for specific block of code
>>
>> detections (61):
>> 039d21972241c29415d503fc2fba2866
>> 04ca2c6806dba43013fd0b9d74a42c90
>> 066c6dbe53816929ec272e91803f3a1b
>> 0af465b9b82b60a0f1e8bde359d63e59
>> 0e29b980dc9373ef8ab1c14707dc414c
>> 1481e9e81a8dbaee2580711948e5c7ba
>> 15b7ebfda0e1a58a68df8d56879a3b4d
>> 15c9424fcd063b234041033d5f19ff4c
>> 163307a5f209b9f1697d371b6ca1671b
>> 17d8955df45096e2bb60bc0c12c12975
>> 18ff3e27e193c995a51ecf1959fab1ee
>> 1e326fabe80681736d0f615a8f20fc2c
>> 2905d640ae0821c1d776b26c57480c5a
>> 2a3dc87a792c5a97bde6ebd1308dec91
>> 2a6a30690528faaafd66b2d1f103b2fc
>> 308672a0208032f5f1d3d0e3494aac9c
>> 3fa908fed67dfb98302cd46d82fba115
>> 4576d3fb06b399b3da9c0ef9c4912971
>> 474c576326036d7a4ba9c32c52fa43db
>> 48c1591d79d27aa78e8b46d38ff94163
>> 4a6a11f9f0efa8e00a221426d5261277
>> 54db18437e5efe0ad5046be2aa7e1e0c
>> 5c64f57902fdcb1bedc99ecb8a9480ae
>> 683a87ee9e92d2a4d9d3cfd5e50066eb
>> 68e58854af18fd671f90a7b9d035d686
>> 6af66e3eb4f3b31959a82232358d92fc
>> 6d7aacce7200259731e5c9822ed8182a
>> 70a128d3c12ffc50b71d40301435aa57
>> 759baa0037cfcc087b991c1c47284064
>> 7de88d6b6cac026719676579c42a2e9a
>> 7fa5009cce7f333f1b40043f8d9aafd5
>> 82e37ddf4ef2750ab7ab66ebc550cbbf
>> 82e63efac9f3607b4740ad407352e0ed
>> 85c60d1503d5d088da455759d50d2cff
>> 898bc051a02a1bf96123159eb3da4109
>> 8b6a689d17692da6dfdfa59851f37e0e
>> 8ec3ecff8f87488e614ba6833751392c
>> 955010ba058c98f182390916e0ad6fe8
>> 9836ecdecd9496760d5b898576dec282
>> 9988e945212eb46161e3f8e2825841cb
>> 9ee5af689f643179f8265ed660f764b8
>> 9f75859f49220af261b6c5d0df05fe99
>> a18b29f87b57f087d270827df0e43b06
>> a4367e938c22257ac1a3bd6ac6a455b6
>> a4cbec2d1694635dc03427d014032a32
>> a61aaef173b43cb5da3478ffd9c5c109
>> aa7f069ec8259567f79d820e73530872
>> b09d2e6667261b990cb70de2ee4f29ab
>> bcf8e2de733317093ea171a8afb97e85
>> bf0cd1cd65cad21a41b483367fe138cb
>> c0ba49f7adb8c0b3f8873910f1da3317
>> c68aaeeae1d0fa6fc437ec6d138b2d9e
>> ce876a021a68abd45f2b17c9f4dcbfab
>> cec2ffa8321395bc9c31a47514d19679
>> d22783e57bb9a2dfb0811e9e7c4c9c66
>> d44f0d0a79ae1787d1b334a85d835421
>> d6f2be8823030244f7d711304a3cf948
>> ebb2a8a4a2904d38c44d64a0a294f590
>> f9623c966dd142e660c78a978c067c4d
>> f97847dd5207f0e2960ecc811e569ae1
>> fdf6527dba695d3a487befb7888bf8cb
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list