[Community-sigs] Win.Trojan.Agent

Matthew Molyett mmolyett at sourcefire.com
Wed Aug 24 09:47:49 EDT 2016 

Askar,

The clean tool, BatTo_Exe_Converter.exe, has MD5
76d5900a4adf4c1f2ab8dbfd0a450c4a.
We can accept signatures for malicious output from the tool, but they must
not FP on the tool itself.

Thanks!

On Sun, Aug 21, 2016 at 3:01 AM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
wrote:

> Good day!
>
> Thanks for detailed response.
>
> Can I create the signature for "Bat_To_Exe_Converter.exe" code and
> BAT-script's data?
>
> Can you submit MD5 of "Bat_To_Exe_Converter.exe" for detailed analysis?
>
> Best regards
>
> 18.08.2016, 21:33, "Xabier Ugarte-Pedrero" <xpedrero at sourcefire.com>:
> > Hello Askar,
> >
> > Your signature has produced a false positive on a tool named
> > "Bat_To_Exe_Converter.exe":
> >
> > This tool seems to be a legitimate application to convert Windows bat
> > scripts to PE binaries. Apparently, this tool generates a binary, and
> > inserts as resources the contents of the script, as well as the name
> > of the script. The resulting executable file will write the script to
> > disk and then execute it.
> >
> > The reason why the signature is producing a FP for the tool is because
> > the resulting binaries share a significant amount of code with the
> > tool.
> >
> > We cannot create a signature for the code of the resulting binaries
> > because it would match this application and any legitimate binary it
> > may produce.
> >
> > Regards,
> >
> > -- Xabier
> >
> > On Wed, Aug 17, 2016 at 8:59 AM, Xabier Ugarte-Pedrero
> > <xpedrero at sourcefire.com> wrote:
> >>  Hello Askar,
> >>
> >>  Thank you very much for your submission. Your signature has been
> >>  submitted for FP test and will be published soon.
> >>
> >>  Regards,
> >>
> >>  -- Xabier
> >>
> >>  On Tue, Aug 16, 2016 at 1:12 PM, Askar Dyussekeyev
> >>  <dyussekeyev at yandex.kz> wrote:
> >>>  Win.Trojan.Agent:1:8224:8B44240453555633ED85C0577505B8????????
> 8B7C241883FF017D05BF010000008B4C241C8A1133F68BD8EB038D49008A
> 083ACA740484C9750E83C6013BF7740C84C9740C8D580183C001EBE38BE8
> 2BEB50E8????????8B7424208BF885FF741156E8????????555350E8????????
> 83C40C5655E8????????85FF8BF0750B555356E8????????
> 83C40C5FC6042E005E5D5BC21000
> >>>
> >>>  signature looks for specific block of code
> >>>
> >>>  detections (61):
> >>>  039d21972241c29415d503fc2fba2866
> >>>  04ca2c6806dba43013fd0b9d74a42c90
> >>>  066c6dbe53816929ec272e91803f3a1b
> >>>  0af465b9b82b60a0f1e8bde359d63e59
> >>>  0e29b980dc9373ef8ab1c14707dc414c
> >>>  1481e9e81a8dbaee2580711948e5c7ba
> >>>  15b7ebfda0e1a58a68df8d56879a3b4d
> >>>  15c9424fcd063b234041033d5f19ff4c
> >>>  163307a5f209b9f1697d371b6ca1671b
> >>>  17d8955df45096e2bb60bc0c12c12975
> >>>  18ff3e27e193c995a51ecf1959fab1ee
> >>>  1e326fabe80681736d0f615a8f20fc2c
> >>>  2905d640ae0821c1d776b26c57480c5a
> >>>  2a3dc87a792c5a97bde6ebd1308dec91
> >>>  2a6a30690528faaafd66b2d1f103b2fc
> >>>  308672a0208032f5f1d3d0e3494aac9c
> >>>  3fa908fed67dfb98302cd46d82fba115
> >>>  4576d3fb06b399b3da9c0ef9c4912971
> >>>  474c576326036d7a4ba9c32c52fa43db
> >>>  48c1591d79d27aa78e8b46d38ff94163
> >>>  4a6a11f9f0efa8e00a221426d5261277
> >>>  54db18437e5efe0ad5046be2aa7e1e0c
> >>>  5c64f57902fdcb1bedc99ecb8a9480ae
> >>>  683a87ee9e92d2a4d9d3cfd5e50066eb
> >>>  68e58854af18fd671f90a7b9d035d686
> >>>  6af66e3eb4f3b31959a82232358d92fc
> >>>  6d7aacce7200259731e5c9822ed8182a
> >>>  70a128d3c12ffc50b71d40301435aa57
> >>>  759baa0037cfcc087b991c1c47284064
> >>>  7de88d6b6cac026719676579c42a2e9a
> >>>  7fa5009cce7f333f1b40043f8d9aafd5
> >>>  82e37ddf4ef2750ab7ab66ebc550cbbf
> >>>  82e63efac9f3607b4740ad407352e0ed
> >>>  85c60d1503d5d088da455759d50d2cff
> >>>  898bc051a02a1bf96123159eb3da4109
> >>>  8b6a689d17692da6dfdfa59851f37e0e
> >>>  8ec3ecff8f87488e614ba6833751392c
> >>>  955010ba058c98f182390916e0ad6fe8
> >>>  9836ecdecd9496760d5b898576dec282
> >>>  9988e945212eb46161e3f8e2825841cb
> >>>  9ee5af689f643179f8265ed660f764b8
> >>>  9f75859f49220af261b6c5d0df05fe99
> >>>  a18b29f87b57f087d270827df0e43b06
> >>>  a4367e938c22257ac1a3bd6ac6a455b6
> >>>  a4cbec2d1694635dc03427d014032a32
> >>>  a61aaef173b43cb5da3478ffd9c5c109
> >>>  aa7f069ec8259567f79d820e73530872
> >>>  b09d2e6667261b990cb70de2ee4f29ab
> >>>  bcf8e2de733317093ea171a8afb97e85
> >>>  bf0cd1cd65cad21a41b483367fe138cb
> >>>  c0ba49f7adb8c0b3f8873910f1da3317
> >>>  c68aaeeae1d0fa6fc437ec6d138b2d9e
> >>>  ce876a021a68abd45f2b17c9f4dcbfab
> >>>  cec2ffa8321395bc9c31a47514d19679
> >>>  d22783e57bb9a2dfb0811e9e7c4c9c66
> >>>  d44f0d0a79ae1787d1b334a85d835421
> >>>  d6f2be8823030244f7d711304a3cf948
> >>>  ebb2a8a4a2904d38c44d64a0a294f590
> >>>  f9623c966dd142e660c78a978c067c4d
> >>>  f97847dd5207f0e2960ecc811e569ae1
> >>>  fdf6527dba695d3a487befb7888bf8cb
> >>>  _______________________________________________
> >>>  Community-sigs mailing list
> >>>  Community-sigs at lists.clamav.net
> >>>  http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >>>
> >>>  http://www.clamav.net/contact.html#ml
> >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



-- 

Matthew Molyett
Cisco Talos Researcher

More information about the Community-sigs mailing list