Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Vbs.Downloader.Valyria

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 25 May 2018 18:51:14 +0000
Hi,

I have seen this in documents with vbs, which ultimately use PowerShell to download the next stage payload. The 
PowerShell uses a "random" user-agent with a specific pattern. Instead of hardcoding the user-agent per rule, pcre was 
used, though the rule can be considered weak. A pcap is available for this one.

# --------------------
# Date: 2018-05-24
# Title: Vbs.Downloader.Valyria
# Tests: pcap
# Reference: 
https://www.virustotal.com/#/file/7f3ead05a2ad90e342f0079274774d31c2dc9e84517f945f5e4f9f09f24a74e2/detection, 
https://www.virustotal.com/#/file/383800c26a0656930cd5ecf6ee102748c130b5a61578dcea5329280a70528e40/detection, 
https://www.virustotal.com/#/file/56b1b50f53fedffa04efb965bb7f6297e1cb34d9d4086e1ea3973f84a48ac0c3/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Downloader.Valyria known malicious 
user-agent"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: "; http_header; 
content:"Connection: Keep-Alive|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; 
http_header; content:!"Referer"; http_header; pcre:"/User-Agent\x3a\x20[A-Z0-9]{5}/H"; metadata:ruleset community, 
service http; 
reference:url,www.virustotal.com/#/file/7f3ead05a2ad90e342f0079274774d31c2dc9e84517f945f5e4f9f09f24a74e2/detection; 
reference:url,www.virustotal.com/#/file/383800c26a0656930cd5ecf6ee102748c130b5a61578dcea5329280a70528e40/detection; 
classtype:trojan-activity; sid:8000061; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: