Tools:

• Razorback
• PE-Sig

Web Tools:

• SO Rule Generator

Mind Games:

• AWBO Exercises

Papers:

• Index

See also:

• VRT Blog
• Snort.org

Contact:

• Sourcefire VRT
  research @ sourcefire . com
• Other Methods and PGP Key

The following is a list of md5sums of malware samples which have displayed the behavior detected by SID 16845:

0136736c5b62df864d2a9a1b004efc47
03108379df90963dcbd488c8f389905b
0395534a2aec5fde2d0ae35b2a681406
046fb7f61920f1286e2dc4ee3bc331e0
046ff1d7db2c6cf7dd4e146a803aa8d4
0db86bf5b77f88014c4c6677bde45c3c
1017f6a06e98437436d7e7fe32ef0b45
1095cd0588a99c3e644ca440baf9e47a
1199bd72ca30f2e36fd21d4a9675289a
14728f8dac26b13488e252e362834195
14a10a831f3d13e9406604e84d520460
14c68623320338ed705a77f8c05590e8
1781b2a075354a2b751e37bbb4d96fd7
181385a2900edd9e5820c96a1a512d37
19fe7e0b6e16605110707a81a8630d98
1f6463378864a74fa672442e13e9812c
218bb6345a312221d34f579543bfeb5a
225e11b68fe4923ce1ed2db9d86642d2
22bf9742f03ff70f5ec29478616c29ae
23b9ea3786df8d6ddb312e29045c1de7
251ff67b632111f72acf9e9f89d6c969
26f7aedf8f1599e0f75657003b2dcc01
271083c345c9227d80ae87dd20c7d9d6
29dbf12fa6bd3865db8a5a8edb1f218f
2df025212bd2cf41567480b02271c4d9
30004f794a5eefe16dd25d0a4ec04b15
305e62002f21ac9f2b606c575f9078a0
30aeb20f2a893b68fc3074811bf75f53
315af6714ed1fb5e5c23ab95951ea817
3892c6a95fca1d905603b02afdb87030
398b569711b1f9220ac195b9868ba26d
3ca6a2cfeef7ef06ad29552498ec4435
3d45dda4a5483fdf5e53082d9a4bd5f5
3e069da76fbf15f9b48c497187b21a8b
447e9b0e7880dba544d72a6cdf280040
4497ed845864f47dd2e9add4be9e048a
4553a653e762315e199eb60a2ff6c310
45c1295063c5c48948e99f345c3b0ecc
48616ec9c4d69794d4db7ed21ca92f98
49963938d50b26e38b5d88374a2fc151
4997aad5e545f5280bd2761ced876cd0
49a640975fc6f54ba87a84ab2fc68d7f
4b96cc872f0b07f9b029258b5bb31803
4ddaca3c59fa24d2fce7eab0cc90ed60
4e57820f652b29aa0330065366eba727
4f10be7c3fc23e749082f0f01cf3f844
4f1fdb79362a37ea52dcad618a74fece
51f3591dbb96f416fb2648702283f9bf
55bd30e6db4a5ace97bee8023a15c9d6
58f27ed0caf784c08e9954e14839c8bc
5955aa98d77d1487a3d9a2d8e30312d2
5a9e9640b4043b73c3948a542228b235
5a9f402de4f730affd3c0522c1d19bd5
5b1c680031c4314ccf8f6d3c3382abf5
5cc5f9df922f22c1367afc0b43a1de7b
5d2c231669f22b862d0422e0f3f2413a
5d322177c7dc0f7be3bd27746ff45fac
5e1e146e086f469445fa6d57549bb3b6
5ec51130793be698c53045d23568db3b
5f1a3ee0fd992d7694df986d9dc3fa94
60773e9288fa36468263c30dec69c05f
6399433df838873416d897f95ac4832c
6da32a6201c7f3533a7f4ba951bfad9b
6f6089e368508b4f8a3de403b999fb38
6f785f7186e4d9b9d780a9ddf5c5c5c9
6fefd54f111aa0fda1c9161b3f9f32d4
7154fa65416dc375d156c8d2f6b66489
71d93c9295dfc7e59f38c7894714cff1
721fe9c48e8b9a0486cb2167ee7fa39f
755ffb7fff5154732ad310d64ac6a4d4
78b26356d4d5d5f379a1d08b2f50e2ba
791d81162a956b2bedbbcc7462a568a1
7b917df8ede8869596ae2077e82589cb
7c64860c9f50a958efd89797c4d3ec7d
7c8c07465bcc651b9e48b2c4ccb88d10
7c9ec025f7eb08cb137b5becd7aa5efd
8facc8bbbdfb27b11fcceb1ae4d6255c
91ee27cfbecb03495389fe26ac3490cd
930cdddaeddef0e6da5918918bf1aada
94b898add8102e79dfed9b45d6649c7f
9663184bfb75a8a9e181ce7c8da3eae6
966d4dd8cc685959671f14abb167a0c8
96911055514490d2b0974ffdc9e461c6
96b01d8a584e87782a2b83f664eab56e
97149b7e17108c9d969182708b7389e1
974758e8fc13246f2aefb5c54e5540a9
9a45a6f97e4eb1d77b796344947e52e3
9de6c093b3dfa5a4ed9ce49a5dc5a5a4
9fe4c4138fcead485eba07e0972817c0
a15262f1f2c6f86e7b77d494ef471557
a2862f913eb25f3b20fffd4279a79865
a2fa058cccaa8aa245f99523271c9247
a3a67bf59acefd75903b591a6912f5ce
a5c0e3ded05f2e7f2f780200ec60afd5
a5cb6fbb956f9ee80ae8e3d67364c881
a7ba9c99047492131ec4cfaa1c9631e5
aba8a5e0ed3d3abfbb8018510cbe8434
ad8063652d95af41ba26927acc816e0c
ae1e00c64c59537f66a461492bc19a32
ae5ce0faeee8962a0bc0c81019ab5629
b10a29c3c4f64c52f082fb34db447b6b
b12b338d38e9fe44fb38cf96186046ac
b3be5e20e18f3c28c56a902b9e13a88c
b457fdc304f8a3bbfe32293592902670
b64aa20ad3e61d2cb0bfbb9b64ea346c
b67a66ec073266027fd0381f399c1fa8
b7838b6236659bdda18b0a974c06df62
ba8c6b2cd42b866a249e26cd87f0a4d1
bf0ee3d00e59a0835a0e0dfb6b29cf29
c19a5c225e82af00180f08b1329f26a3
c1a5a28b295aae19343abc3540e54da6
c1bbf7c54b57c835c837fb65539e92a4
c226123e2d36d773e8c91c4b9b1bb440
c4373720bf8166d3555ba7cb84b4eb7f
c69be22dd6796858fd2ce20848d31e82
c9035216020d0c5cbfc641950b201c6f
c9bed65a8b7cee0d5c19180dda8a771e
cb32c85112f4a96f2d83b6cf6217b574
cf3d2e6cfab567d440b28e67ee38cdda
d66befafd9cc56c10f43ed6f28c20f16
d686e3b7248290cbb5afadd83b305089
d6c0cb3e6d01c2879e9edfd2973cd436
d9fcc716618d282d6ace15e3ca50df44
de3ed8b68742451e2ee52a64e2872383
deba95b517bb68bb25c72b16f0645210
e0da08a8abe56447b5d6a537b91e7553
e1f600060e3c28ec6023acbff44060a7
e23c5b9e79ce8539fcaa823ae098d7ef
e302299b52890e8abf59761b6e379a64
e5cc6a79428c3f1b16a3111afc8e05b2
e60ecb1a4d14720c0d3ac5924e1a882f
e73573e77bd6854402dfd9dcab5ff9c7
ef5e101ac68eb2c6333c6568676a9461
f2ba9bef76a6f87089cebaceb044d596
f3d06d82a11e9ed37e3ae820b36b469b
f4bfbf4a5e0eebc61997277872e9fd75
f5d1a9ad4d7a8eb238d8a645d3d2d478
f64cd008d95a03b334ad9affcb439fdd
f9aec4201081364e4526f2f6ca7f2b97
fde5630364b658c4cfd3e3ad216f06a3

('')

About the Sourcefire Vulnerability Research Team

The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

All materials contained on this site © Sourcefire VRT