![snort logo](/images/snort-logo.png)
Snort mailing list archives
Vbs.Downloader.Valyria
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 25 May 2018 18:51:14 +0000
Hi, I have seen this in documents with vbs, which ultimately use PowerShell to download the next stage payload. The PowerShell uses a "random" user-agent with a specific pattern. Instead of hardcoding the user-agent per rule, pcre was used, though the rule can be considered weak. A pcap is available for this one. # -------------------- # Date: 2018-05-24 # Title: Vbs.Downloader.Valyria # Tests: pcap # Reference: https://www.virustotal.com/#/file/7f3ead05a2ad90e342f0079274774d31c2dc9e84517f945f5e4f9f09f24a74e2/detection, https://www.virustotal.com/#/file/383800c26a0656930cd5ecf6ee102748c130b5a61578dcea5329280a70528e40/detection, https://www.virustotal.com/#/file/56b1b50f53fedffa04efb965bb7f6297e1cb34d9d4086e1ea3973f84a48ac0c3/detection alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Downloader.Valyria known malicious user-agent"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: "; http_header; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; pcre:"/User-Agent\x3a\x20[A-Z0-9]{5}/H"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/7f3ead05a2ad90e342f0079274774d31c2dc9e84517f945f5e4f9f09f24a74e2/detection; reference:url,www.virustotal.com/#/file/383800c26a0656930cd5ecf6ee102748c130b5a61578dcea5329280a70528e40/detection; classtype:trojan-activity; sid:8000061; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Vbs.Downloader.Valyria Y M via Snort-sigs (May 25)