Re: Additional rules for detecting Emotet - Trickbot - IcedID banking malware

[Marcos Rodriguez <mrodriguez () sourcefire com>]

On Thu, Jun 28, 2018 at 1:43 AM, Lenny Hansson <lenny () netcowboy dk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi all
> I have made some additional rules for detecting Emotet - Trickbot -
> IcedID banking malware.
>
> If you like them then feel free to use them. If you find false positives
> please let me know.
>
> (Trickbot Banking Malware - Network Collector Module)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Trickbot Banking
> Malware - Network Collector Module - No alert";
> flow:to_server,established; content:"User-Agent|3A 20|test"; nocase;
> flowbits:set,NF-trickbot; flowbits:noalert;
> reference:url,networkforensic.dk; metadata:26062018;
> classtype:trojan-activity; sid:5025901; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Trickbot Banking
> Malware - Network Collector Module"; flow:to_server,established;
> content:"|2d 2d|Arasfjasu7"; fast_pattern; nocase; content:"|3d
> 22|proclist|22|"; content:"|3d 22|sysinfo|22|";
> flowbits:isset,NF-trickbot; reference:url,networkforensic.dk;
> metadata:26062018; classtype:trojan-activity; sid:5025902; rev:1;)
>
> (Emotet Banking Malware - whoami lookups)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Emotet Banking
> Malware - whoami - No Alert"; flow:to_server,established;
> content:"/whoami.php"; depth:15; fast_pattern;
> content:"Cache|2d|Control|3a 20|no|2d|cache"; flowbits:set,NF-twhoami;
> flowbits:noalert; reference:url,networkforensic.dk; metadata:27062018;
> classtype:trojan-activity; sid:5025903; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NF - Emotet Banking
> Malware - whoami lookup"; flow:to_client,established; content:"|32 30 30
> 20 4f 4b|"; fast_pattern; content:"Connection|3a 20|keep|2d|alive";
> flowbits:isset,NF-twhoami; reference:url,networkforensic.dk;
> metadata:27062018; classtype:trojan-activity; sid:5025904; rev:1;)
>
> (Emotet Banking Malware - IcedID payload download)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Emotet Banking
> Malware - IcedID payload download - No alert";
> flow:to_server,established; content:"GET"; depth:3; http_method;
> pcre:"/\/[a-zA-Z0-9]{4,10}\//iU"; Content:"Connection|3a
> 20|Keep|2d|Alive"; nocase; flowbits:set,NF-IcedID; flowbits:noalert;
> reference:url,networkforensic.dk; metadata:27062018;
> classtype:trojan-activity; sid:5025905; rev:1;)
>
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Emotet Banking
> Malware - IcedID payload download"; flow:from_server,established;
> content:"200"; http_stat_code; content:"Cache|2d|Control|3a
> 20|no|2d|cache|2c 20|no|2d|store|2c 20|max|2d|age|3d|0|2c
> 20|must|2d|revalidate"; nocase; fast_pattern;
> content:"Content|2d|Disposition|3a 20|attachment|3b 20|";
> pcre:"/filename=\"[a-zA-Z0-9]{4,6}.exe\"/"; flowbits:isset,NF-IcedID;
> reference:url,networkforensic.dk; metadata:27062018;
> classtype:trojan-activity; sid:5025906; rev:1;)
>
>
> - --
> Best Regards
> Lenny Hansson

Hi Lenny,

Thanks for these submissions. We will review each of them and get back to
you when finished.


-- 
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!