[Community-sigs] Nemucod variant
Christopher Marczewski
cmarczewski at sourcefire.com
Wed Dec 14 15:32:23 EST 2016
Janos,
Thanks again for another Nemucod submission. We'll be proceeding with a
signature review & FP testing.
On Wed, Dec 14, 2016 at 10:56 AM, Janos Cservenak <hawk at hwk.hu> wrote:
> Hi,
>
> Another Nemucod variant signature.
> Received by email, attachment was a .ZIP that contains the trojan WSF.
>
> -- Signature --
> JS.Trojan.Nemucod;Target:7;0>2&1>3&2;
> 766172{-10}686974666d;66756e6374696f6e{-20}686974666d;
> 746d39307a786e696177726b7a773478
> -- /Signature --
>
> VIRUS NAME: JS.Trojan.Nemucod.WSF.v03.20161214
> TDB: Target:7
> LOGICAL EXPRESSION: 0>2&1>3&2
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> var{WILDCARD_ANY_STRING(LENGTH<=10)}hitfm
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> function{WILDCARD_ANY_STRING(LENGTH<=20)}hitfm
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> tm90zxniawrkzw4x
>
>
> Matched files MD5:
> bd9ac941df4dd18fc3a9357ca8fc51d4
> 075267b6930949754fd2d26e81cf3b6f
> ed006688b4d4dbeb57be273d022f3e93
> 1a80ed55e9efe95742b41d6fbbfc9a93
> fc4bf5f72c29990570d34fdd823a411d
> 4ff5f72d1375cb62ec8760e395dabc49
> bb989de0945fadbd26828f43e0fccb1f
> ece6efedf0ec3a381826f12e0a6d695d
> 9aaba658f4058e6f59a2350620d67a88
> 9aaba658f4058e6f59a2350620d67a88
> 9aaba658f4058e6f59a2350620d67a88
> 15c985f5a947e6730609215392954588
> 15c985f5a947e6730609215392954588
> 277a4374e36db8dcd1b7d984642ab749
> d195d846366cc139f38e34744ff2217e
> 218e468ed5f0af73a68986dcadd43707
> 2dcff3cb473324f619605c1752ffdb3b
> dba26a9757c92889d36e2171a0b8499c
> 789f9af5c3521e44123b474b901e3733
> 789f9af5c3521e44123b474b901e3733
> 98aec43fc91195e73957022ed89d663c
> 739f7cbde8886faf1cb4c8aaf64865a1
> 0c1f6e786ee71e1d55fad52af868a1fa
> ebebc6db349c8457a009ea67bef9f5c2
> f9c4b03fe200e0575ce77581a088a344
> 36196947aa0da7ee81b2174e6f992e74
> 36196947aa0da7ee81b2174e6f992e74
> 2f8021da04fb26f4b1c458229d9e06e7
> 754d009b8f2d9fc6eafc605a27afa64f
> 754d009b8f2d9fc6eafc605a27afa64f
> add45ad1030774a2251f874b24dc710d
> add45ad1030774a2251f874b24dc710d
> b9110a5360c4f12c6aa4a2e794efbe6a
> dd2fd0a397836bf55ebf7cbd98f0f6b1
>
> --
> Best regards,
> Janos Cservenak
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118
More information about the Community-sigs
mailing list