[Community-sigs] Win.Trojan.PW_Steeler

Christopher Marczewski cmarczewski at sourcefire.com
Mon Apr 10 14:07:46 EDT 2017 

Askar,

The signature looks good. It'll be published soon, following a successful
FP test.

Thanks again for your submission.

On Mon, Apr 10, 2017 at 1:38 PM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> Askar,
>
> Thank you for the submission. We're reviewing the signature & will keep
> you posted.
>
> On Sun, Apr 9, 2017 at 12:31 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
> wrote:
>
>> Update for last signature:
>>
>> Win.Trojan.PW_Steeler;Target:1;(0>2)&(1|(2>2)|(3>2))&4&5&6&7
>> &8;505720537465656C6572;544849532049532041205649525553;444F4
>> E542055534520495420544F20535445414C204F544845522050415353574
>> F5244;464F5220454455434154494F4E414C20505552504F5345204F4E4C
>> 59;460069007200650066006F007800;47006F006F0067006C0065002000
>> 4300680072006F006D006500;530061006600610072006900;5300650061
>> 004D006F006E006B0065007900;590061006E00640065007800
>>
>>
>> 09.04.2017, 22:04, "Askar Dyussekeyev" <dyussekeyev at yandex.kz>:
>> > Hello!
>> >
>> > There is a logical signature for password stealer, that looks for
>> specific strings:
>> >
>> > Win.Trojan.PW_Steeler;Target:1;(0>2)&(1|(2>2)|(3>2)&4&5&6&7&
>> 8);505720537465656C6572;544849532049532041205649525553;444F4
>> E542055534520495420544F20535445414C204F544845522050415353574
>> F5244;464F5220454455434154494F4E414C20505552504F5345204F4E4C
>> 59;460069007200650066006F007800;47006F006F0067006C0065002000
>> 4300680072006F006D006500;530061006600610072006900;5300650061
>> 004D006F006E006B0065007900;590061006E00640065007800
>> >
>> > Samples:
>> > - https://virustotal.com/ru/file/0ca0e4d19ea289d31b496d09865c3
>> b02bd08ac366f593c35da81b49393bd3284/analysis/1491752221/
>> > - https://virustotal.com/ru/file/069a0d21d22b4ea29b258a9af7ced
>> 75fa3c06862631226f8479159c874caabe0/analysis/1491752238/
>> >
>> > Best regards,
>> > Askar
>> > _______________________________________________
>> > Community-sigs mailing list
>> > Community-sigs at lists.clamav.net
>> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>> >
>> > http://www.clamav.net/contact.html#ml
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.832.2975 <(443)%20832-2975>
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975

More information about the Community-sigs mailing list