Re: [Emerging-Sigs] Dridex sig

[Joseph Feather <joseph.robert.feather () gmail com>]

Seeing same malware here
https://malwr.com/analysis/YjZjNWVmZTg1ZWVjNDdhOTlkZDFlYjk4YWYxODY2NmE/

It uses a specific User Agent to pull down the files

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Malware Dridex C2";
content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B|
WinHttp.WinHttpRequest.5)"; http_header; pcre:"/[0-9]{8}.txt/";
classtype:trojan-activity; reference:url,
https://malwr.com/analysis/YjZjNWVmZTg1ZWVjNDdhOTlkZDFlYjk4YWYxODY2NmE/;
sid:9999999; rev:1;)

-Joe

On Wed, Jun 17, 2015 at 10:49 AM, James Lay <jlay () slave-tothe-box net>
wrote:

> Meh...keep seeing this base64 encoded WScript, so here's a sig:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
> Dridex WScript Download"; flow:established,to_server;
> content:"|2f|89172387|2e|txt"; http_uri; fast_pattern:only; reference:url,
> malwr.com/analysis/MGRmZmFmNjk1MTNlNDNhN2IwYzEyODFlNWY0ZDAxYmM;
> classtype:trojan-activity; sid:10000161; rev:1;)
>
> If you see this hit, someone on your network has just opened a Dridex word
> doc in an email.  Sanity checked only.
>
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!