[Community-sigs] Win.Trojan.Ransom
Xabier Ugarte-Pedrero
xpedrero at sourcefire.com
Wed Jul 27 03:26:49 EDT 2016
Hello Askar,
Your signatures have been submitted for FP test. I have slightly
modified your first signature in order to substitute absolute
addresses by wildcards. Could you please confirm that the signature
still matches on all the samples in your dataset?
Win.Trojan.Ransom:1:6368:837D0C0175698D95DEFEFFFF52FFB5E6FEFFFF8D8502FFFFFF50FFB5BAFEFFFF68????????FF15????????8985F2FEFFFF8985EEFEFFFF83BDEEFEFFFF00752FFFB5EAFEFFFF8B95DEFEFFFF52FFB5FEFEFFFFFFB5FEFEFFFF8D450883E80450E84EF8FFFF83C414C605????????17
Thanks!
-- Xabier
On Tue, Jul 26, 2016 at 1:08 PM, Askar Dyussekeyev
<dyussekeyev at yandex.kz> wrote:
> Win.Trojan.Ransom:1:4848:C745CC04000000C745C400000000C745C800000000C745FC00100000C745F8000000008B45D4D1E08945D48B4D08894DC48B55D4D1E28955D4FF75D4BBFD3B0000B95806000081C1A80900005153B9000000008B5DC4516AFFFFD38945F8C745D4C9000000
>
> signature looks for specific block of code
>
> detections:
> 004346527b3e15893f69e5b791e533c0
> 10f7b384c0300e48969379ecacbe0456
> 187b821e1c2207acf058401497b54520
> 1d1f7dab118c901cc2c0979ff0ec8a50
> 1e1895797adfc21600821d75f2a940f0
> 23aa838c4169f10d19d180d29bb7d990
> 257e7038285dcbea7e2ecc3597900600
> 2bddbfc1a6d05d1bbd92b4891bea4db0
> 2c4141455a8db0af0e3db725d8c532d0
> 30b9a1ad764e291f72537cb1a2a4a8b7
> 3231e354d275ec4f1f33d97626eb9db0
> 3856631441d08aa5cc02f9d318ab8ba0
> 394af62fa87c31f3eef7834f30c6cee0
> 3c85298fa40b662b3a25d47e2a6e6160
> 3e72ba394c2c6753c59be7cf46041427
> 46e4e10316d27507dc5b6327e9cde6a0
> 4889509c90d2e76da308e6172c6765e0
> 56166c5c789aa2621fe3550bc158ffa0
> 597f736c285b82e09bb68c6a0e1e4ce0
> 61259a712f20c4ffe32211512207e7d0
> 64b5893306cd9c500727122b685185e0
> 65de6e3ca3a466cd1b493daddea461cd
> 66c4983b1720f89a12cb5a348a8bd0f0
> 67d3c3752fb62c33346e2c0b1c97d9d0
> 7627ae45a476aa5c61a3aff9f78f5f40
> 77e78c034e7a83fbbba3259ab3b9cc50
> 7d8fa77c1ae767767d2be901ec16f72f
> 817e52bc67cb82b9bb4af9fdb4eee7ad
> 83d252fb9924e89b24f2fb861591c85f
> 937cc8a31f9af1d100fb365bf8b35040
> 96fe33caa7c173b729a353fc4a10c4b0
> 9e722a7ac94cdd8515ba379e8f1f8f48
> 9fc996d947cb2a7b11d2164b785373a0
> a4ede28a2a1bf13e397931ff44e68e70
> a5f2e9e3a5a815f1687be1ab11243711
> b27a6b4ecb676ca5655daefa6345cd90
> b7f35a9587a591e0207ccb9ab7997e40
> bfd1a7026b6d87796ab1d43a265408b0
> c26c4f9182ab275917f807e3a95c8b02
> ca6eba3b8a8c9fcd0a885b1b2caa49e0
> ce042e88ae703f186d3c649b00803240
> d145a5aa2709bf6e2fc15fd82205e4f0
> d30e7351fa4ce8c60a756c330e33fd5a
> e1509a5ab2c4b998ae06f2df97e499b0
> e2d1db5d6fb95620d5afb399461aa0b0
> ee2272af249d12a0bb5e5de6cdc971f0
> eece88b6294ab2c927c59ff381f93518
> f4286e3e334f973e6bb3d64454273cc0
> f4aaba587f0c67d6f763a4db66c45170
> fa9bff3c571774b3a61f8f0326d94bd0
> ff672ceca79b3dc9ea47309569eb2d00
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list