[Community-sigs] Win.Trojan.Ransom
Askar Dyussekeyev
dyussekeyev at yandex.kz
Wed Jul 27 04:05:14 EDT 2016
Good day! Modificated signature looks fine at all my samples. Thanks.
27.07.2016, 12:27, "Xabier Ugarte-Pedrero" <xpedrero at sourcefire.com>:
> Hello Askar,
>
> Your signatures have been submitted for FP test. I have slightly
> modified your first signature in order to substitute absolute
> addresses by wildcards. Could you please confirm that the signature
> still matches on all the samples in your dataset?
>
> Win.Trojan.Ransom:1:6368:837D0C0175698D95DEFEFFFF52FFB5E6FEFFFF8D8502FFFFFF50FFB5BAFEFFFF68????????FF15????????8985F2FEFFFF8985EEFEFFFF83BDEEFEFFFF00752FFFB5EAFEFFFF8B95DEFEFFFF52FFB5FEFEFFFFFFB5FEFEFFFF8D450883E80450E84EF8FFFF83C414C605????????17
>
> Thanks!
>
> -- Xabier
>
> On Tue, Jul 26, 2016 at 1:08 PM, Askar Dyussekeyev
> <dyussekeyev at yandex.kz> wrote:
>> Win.Trojan.Ransom:1:4848:C745CC04000000C745C400000000C745C800000000C745FC00100000C745F8000000008B45D4D1E08945D48B4D08894DC48B55D4D1E28955D4FF75D4BBFD3B0000B95806000081C1A80900005153B9000000008B5DC4516AFFFFD38945F8C745D4C9000000
>>
>> signature looks for specific block of code
>>
>> detections:
>> 004346527b3e15893f69e5b791e533c0
>> 10f7b384c0300e48969379ecacbe0456
>> 187b821e1c2207acf058401497b54520
>> 1d1f7dab118c901cc2c0979ff0ec8a50
>> 1e1895797adfc21600821d75f2a940f0
>> 23aa838c4169f10d19d180d29bb7d990
>> 257e7038285dcbea7e2ecc3597900600
>> 2bddbfc1a6d05d1bbd92b4891bea4db0
>> 2c4141455a8db0af0e3db725d8c532d0
>> 30b9a1ad764e291f72537cb1a2a4a8b7
>> 3231e354d275ec4f1f33d97626eb9db0
>> 3856631441d08aa5cc02f9d318ab8ba0
>> 394af62fa87c31f3eef7834f30c6cee0
>> 3c85298fa40b662b3a25d47e2a6e6160
>> 3e72ba394c2c6753c59be7cf46041427
>> 46e4e10316d27507dc5b6327e9cde6a0
>> 4889509c90d2e76da308e6172c6765e0
>> 56166c5c789aa2621fe3550bc158ffa0
>> 597f736c285b82e09bb68c6a0e1e4ce0
>> 61259a712f20c4ffe32211512207e7d0
>> 64b5893306cd9c500727122b685185e0
>> 65de6e3ca3a466cd1b493daddea461cd
>> 66c4983b1720f89a12cb5a348a8bd0f0
>> 67d3c3752fb62c33346e2c0b1c97d9d0
>> 7627ae45a476aa5c61a3aff9f78f5f40
>> 77e78c034e7a83fbbba3259ab3b9cc50
>> 7d8fa77c1ae767767d2be901ec16f72f
>> 817e52bc67cb82b9bb4af9fdb4eee7ad
>> 83d252fb9924e89b24f2fb861591c85f
>> 937cc8a31f9af1d100fb365bf8b35040
>> 96fe33caa7c173b729a353fc4a10c4b0
>> 9e722a7ac94cdd8515ba379e8f1f8f48
>> 9fc996d947cb2a7b11d2164b785373a0
>> a4ede28a2a1bf13e397931ff44e68e70
>> a5f2e9e3a5a815f1687be1ab11243711
>> b27a6b4ecb676ca5655daefa6345cd90
>> b7f35a9587a591e0207ccb9ab7997e40
>> bfd1a7026b6d87796ab1d43a265408b0
>> c26c4f9182ab275917f807e3a95c8b02
>> ca6eba3b8a8c9fcd0a885b1b2caa49e0
>> ce042e88ae703f186d3c649b00803240
>> d145a5aa2709bf6e2fc15fd82205e4f0
>> d30e7351fa4ce8c60a756c330e33fd5a
>> e1509a5ab2c4b998ae06f2df97e499b0
>> e2d1db5d6fb95620d5afb399461aa0b0
>> ee2272af249d12a0bb5e5de6cdc971f0
>> eece88b6294ab2c927c59ff381f93518
>> f4286e3e334f973e6bb3d64454273cc0
>> f4aaba587f0c67d6f763a4db66c45170
>> fa9bff3c571774b3a61f8f0326d94bd0
>> ff672ceca79b3dc9ea47309569eb2d00
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list