Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suspicious DNS rule

From: James Lay via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 16 Aug 2018 08:50:56 -0600
On 2018-07-31 11:16, James Lay wrote:

So ok....I got three samples, two agent telsa, one formbook, all
exhibit the following:

list of samples on any_run:

https://app.any.run/tasks/33d3e229-fba7-476b-8ec9-7464eacb1ca3
https://app.any.run/tasks/6d9371e7-249b-47d1-bbbb-cf66dd34e30b
https://app.any.run/tasks/065b87cb-a6d3-4dc7-a06f-a893281b4263

these request show up funky:

my only guess is a specific packer is calling out as the three samples
are all .NET.  Anyway sig below:

alert udp $HOME_NET any -> any 53 (msg:"Suspicious DNS Request";
content:"|01 00 00 01 00 00 00 00 00 00 02 ca b1 03 6f 72 67 00|";
fast_pattern:only; classtype:trojan-activity; sid:XXXXXX; rev:1;
metadata:created_at 2018_07_31;)

if someone has any more insight I'd love to know what this really is.
Thank you.

James



And circling back on this, this turns out to be this in punycode:

xn--5na[.]org

Still fails to resolve, but getting closer to finding out the cause.

James
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: