Snort mailing list archives
Re: Win.Trojan.Revenge RAT
From: Phillip Lee <phillile () sourcefire com>
Date: Thu, 22 Mar 2018 10:01:34 -0400
Dear Yaser, This rule has been reviewed and added to the community ruleset (SID: 45961-45962). The only modification made were: 1. First rule - fast_pattern:only content match longer 2. Second rule - remove 'dsize<12' Thank you for your contribution. Sincerely, Phil Lee Cisco Talos
On Feb 20, 2018, at 8:21 AM, Y M <snort () outlook com> wrote: Hi Phillip, The pcap is attached. Archive password is infected. Thanks. Have a good day Yaser From: Phillip Lee <phillile () sourcefire com> Sent: Tuesday, February 20, 2018 3:15:12 PM To: Y M Cc: snort-sigs () lists snort org Subject: Re: [Snort-sigs] Win.Trojan.Revenge RAT Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send along the pcaps that you have? Regards, Phil Lee Cisco TalosOn Feb 20, 2018, at 3:24 AM, Y M via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>> wrote: Hi, The below rules are for detecting the revenge rat. Pcaps for the below hashes are available. 79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a 14731a5222178aba49a88b88da3f3de63bdee5dcc766c453af4d32a05942c686 518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee cf8a2495c95f1edf237ec8281b85e3ee127e2d15c8e5c6bebeb038e3e135134b e7d4198bc93202434843459be2f8aff2a5effecf052e210b2d7df9ce55cca134 aeb64721415ebc354e81f8a90932a2b9708fe2907d749203678df6e91604336c 7b875f2fa6d638a8295af1ca88aaee6dd657ca31edddbfcc2fcaac1974d7c563 edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT outbound connection"; flow:to_server,established; content:"Information"; depth:11; content:"|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:9000039; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT inbound connection attempt"; flow:to_client,established; dsize:<12; content:"PNC|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:9000040; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!<revengerat_cnc.zip>
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.Revenge RAT Y M via Snort-sigs (Feb 20)
- Re: Win.Trojan.Revenge RAT Phillip Lee (Feb 20)
- Message not available
- Re: Win.Trojan.Revenge RAT Phillip Lee (Mar 22)
- Message not available
- Re: Win.Trojan.Revenge RAT Phillip Lee (Feb 20)