[Community-sigs] Nemucod variant
Christopher Marczewski
cmarczewski at sourcefire.com
Fri Dec 16 11:13:31 EST 2016
Janos,
Your signature has been accepted for publication. Thanks again for your
submission.
On Wed, Dec 14, 2016 at 3:32 PM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:
> Janos,
>
> Thanks again for another Nemucod submission. We'll be proceeding with a
> signature review & FP testing.
>
> On Wed, Dec 14, 2016 at 10:56 AM, Janos Cservenak <hawk at hwk.hu> wrote:
>
>> Hi,
>>
>> Another Nemucod variant signature.
>> Received by email, attachment was a .ZIP that contains the trojan WSF.
>>
>> -- Signature --
>> JS.Trojan.Nemucod;Target:7;0>2&1>3&2;
>> 766172{-10}686974666d;66756e6374696f6e{-20}686974666d;
>> 746d39307a786e696177726b7a773478
>> -- /Signature --
>>
>> VIRUS NAME: JS.Trojan.Nemucod.WSF.v03.20161214
>> TDB: Target:7
>> LOGICAL EXPRESSION: 0>2&1>3&2
>> * SUBSIG ID 0
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> var{WILDCARD_ANY_STRING(LENGTH<=10)}hitfm
>> * SUBSIG ID 1
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> function{WILDCARD_ANY_STRING(LENGTH<=20)}hitfm
>> * SUBSIG ID 2
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> tm90zxniawrkzw4x
>>
>>
>> Matched files MD5:
>> bd9ac941df4dd18fc3a9357ca8fc51d4
>> 075267b6930949754fd2d26e81cf3b6f
>> ed006688b4d4dbeb57be273d022f3e93
>> 1a80ed55e9efe95742b41d6fbbfc9a93
>> fc4bf5f72c29990570d34fdd823a411d
>> 4ff5f72d1375cb62ec8760e395dabc49
>> bb989de0945fadbd26828f43e0fccb1f
>> ece6efedf0ec3a381826f12e0a6d695d
>> 9aaba658f4058e6f59a2350620d67a88
>> 9aaba658f4058e6f59a2350620d67a88
>> 9aaba658f4058e6f59a2350620d67a88
>> 15c985f5a947e6730609215392954588
>> 15c985f5a947e6730609215392954588
>> 277a4374e36db8dcd1b7d984642ab749
>> d195d846366cc139f38e34744ff2217e
>> 218e468ed5f0af73a68986dcadd43707
>> 2dcff3cb473324f619605c1752ffdb3b
>> dba26a9757c92889d36e2171a0b8499c
>> 789f9af5c3521e44123b474b901e3733
>> 789f9af5c3521e44123b474b901e3733
>> 98aec43fc91195e73957022ed89d663c
>> 739f7cbde8886faf1cb4c8aaf64865a1
>> 0c1f6e786ee71e1d55fad52af868a1fa
>> ebebc6db349c8457a009ea67bef9f5c2
>> f9c4b03fe200e0575ce77581a088a344
>> 36196947aa0da7ee81b2174e6f992e74
>> 36196947aa0da7ee81b2174e6f992e74
>> 2f8021da04fb26f4b1c458229d9e06e7
>> 754d009b8f2d9fc6eafc605a27afa64f
>> 754d009b8f2d9fc6eafc605a27afa64f
>> add45ad1030774a2251f874b24dc710d
>> add45ad1030774a2251f874b24dc710d
>> b9110a5360c4f12c6aa4a2e794efbe6a
>> dd2fd0a397836bf55ebf7cbd98f0f6b1
>>
>> --
>> Best regards,
>> Janos Cservenak
>>
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>
>
>
>
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.430.7118 <(443)%20430-7118>
>
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118
More information about the Community-sigs
mailing list