Snort mailing list archives
Re: [Emerging-Sigs] Dridex sig
From: Joseph Feather <joseph.robert.feather () gmail com>
Date: Wed, 17 Jun 2015 16:40:15 -0400
Seeing same malware here https://malwr.com/analysis/YjZjNWVmZTg1ZWVjNDdhOTlkZDFlYjk4YWYxODY2NmE/ It uses a specific User Agent to pull down the files alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Malware Dridex C2"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; pcre:"/[0-9]{8}.txt/"; classtype:trojan-activity; reference:url, https://malwr.com/analysis/YjZjNWVmZTg1ZWVjNDdhOTlkZDFlYjk4YWYxODY2NmE/; sid:9999999; rev:1;) -Joe On Wed, Jun 17, 2015 at 10:49 AM, James Lay <jlay () slave-tothe-box net> wrote:
Meh...keep seeing this base64 encoded WScript, so here's a sig: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Dridex WScript Download"; flow:established,to_server; content:"|2f|89172387|2e|txt"; http_uri; fast_pattern:only; reference:url, malwr.com/analysis/MGRmZmFmNjk1MTNlNDNhN2IwYzEyODFlNWY0ZDAxYmM; classtype:trojan-activity; sid:10000161; rev:1;) If you see this hit, someone on your network has just opened a Dridex word doc in an email. Sanity checked only. James _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Dridex sig James Lay (Jun 17)
- Re: [Emerging-Sigs] Dridex sig Joseph Feather (Jun 18)
- Re: [Emerging-Sigs] Dridex sig James Lay (Jun 17)
- Re: [Emerging-Sigs] Dridex sig Joseph Feather (Jun 18)