Snort mailing list archives
Multiple signatures 016
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 25 Oct 2018 15:24:57 +0000
Hi, Hope all sig makers are doing great today. Pcaps and Yara/ClamAV signatures are available for all of the cases below. Thank you. # -------------------- # Date: 2018-10-06 # Title: ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545) # Reference: Triage from: https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/ # Tests: pcap # Yara: # - TOOL_PWS_LaZagne # ClamAV: # - TOOL.PWS.LaZagne # Hashes: # - cb197616e12daff971b86544eb06554583e95b137b69a4b7cbe83c7de2a38948 # - 29eadfb89fa2af7567f34b20778c1dc2a1be2f5b8aa84f642da0291a68de32d0 # - 1c963f531b1870f8edffcc9a9a96019c296801f69ea0a9dda555d91cf791a837 # - 2c90585b53a28a3413099c94c38f250ca5b17f72ddf6a4e346421eb0a6bdd881 # - 82cbdd4822630e179b685733490dc61db4761151656e1663ab91430f32ce86b6 # - 0e1320fd39174b14b7e817491d5e95807e66226d60659a07eb0e4bdedb06bea1 # Notes: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader / ZeroEvil variant outbound connection"; flow:to_server,established; content:"/logs_gate.php?plugin="; fast_pattern:only; http_uri; content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000373; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound connection"; flow:to_server,established; content:"/plugin_gate.php?plugin="; fast_pattern:only; http_uri; content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000374; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant / ZeroEvil outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"version="; http_client_body; fast_pattern; content:!"Referer"; http_header; pcre:"/version\x3d([0-9]{3}\x255F)+/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000375; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound connection"; flow:to_server,established; content:"/screenshot_gate.php?hwid="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000376; rev:1;) # -------------------- # Date: 2018-10-10 # Title: MuddyWater # Reference: Triage from: # - https://s.tencent.com/research/report/509.html # - https://securelist.com/muddywater/88059/ # Tests: pcap # Yara: # - FILE_OFFICE_OLE_Dropper_Doc # - TOOL_CNC_Shootback # - TOOL_PWS_Credstealer # ClamAV: # - FILE_OFFICE.OLE.Dropper.Doc # - TOOL_PWS.Credstealer # - TOOL_CNC.Shootback # - Doc.Dropper.Agent-HSB1 # - Doc.Dropper.Agent-HSB2 # - Doc.Dropper.Agent-HSB3 # - Doc.Dropper.Agent-HSB4 # Hashes: # - 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0: Composite Document File V2 Document # - 153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58: Composite Document File V2 Document # - 18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6: Composite Document File V2 Document # - 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd: Composite Document File V2 Document # - 209fb398318a0d346b933b0c408467fce8dea36c10cd0f69ce4b342e28cee9dc: Composite Document File V2 Document # - 2a49d29d58d4d962bee5430e40f488bb79ebab92cf13db5bb4708f3eaf95caed: Composite Document File V2 Document # - 2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13: Composite Document File V2 Document # - 38556ba0b512636006c00b51f24ac92755bd1f1b21b4ae1812abf6bf9543221e: Composite Document File V2 Document # - 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb: Composite Document File V2 Document # - 3eb27ecfbe5381b9cf4dcba2486e9773d9893b92c95032be784e0d2198740539: Composite Document File V2 Document # - 3f14a1210d1f2cdb916275bf32cb49159b6f49a54f246bdcb0e967cd0edb8e82: Composite Document File V2 Document # - 40ffcbf044ec951242a92a09b6a239183def2e74fc18e5975fa70e849d875a2e: Composite Document File V2 Document # - 41a32a19c78a542ab4d0701c31d9ef6c7f019c9bc604ab9415f4790b7ac6c591: Composite Document File V2 Document # - 5c7d16bd89ef37fe02cac1851e7214a01636ee4061a80bfdbde3a2d199721a79: Composite Document File V2 Document # - 5f2a6601d349af00a4cc101a638003af2f330879c333168cbf6a7a123dfb3928: Composite Document File V2 Document # - 6a68e8b12960257621cb89f979c1fbbd0f13c2338fad0f64e133deb95c99b2f9: Composite Document File V2 Document # - 707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024: Composite Document File V2 Document # - 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338: Composite Document File V2 Document # - 818253f297fea7d8a2324ee1a233aabbaf3b0b4b9cdaa1ebd676fe00f2247388: PE32+ executable (console) x86-64, for MS Windows # - 9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c: Composite Document File V2 Document # - 94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad: Composite Document File V2 Document # - abc269676eab9cf71f4f00195d1be02c10ea5bfb383fa1396dc108e0f6f9b9be: Composite Document File V2 Document # - b9c70adbc731b1b2779ab35bb0fab29ae703e2a4a7214c5e2749b02daf326a9b: Composite Document File V2 Document # - bbcafdb4fd7bf107d8b85934286d531536b7a0a30e5eeed07e27f0f7afcf8a77: Composite Document File V2 Document # - bfb4fc96c1ba657107c7c60845f6ab720634c8a9214943b5221378a37a8916cd: Composite Document File V2 Document # - c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9: Composite Document File V2 Document # - eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894: Composite Document File V2 Document # - f2f573af0f76fe0f21bbe630a4bb50b1c1836eb24429bfb8c93673276f27e374: Composite Document File V2 Document # - f6707b5f41192353be3311fc7f48ee30465038366386b909e6cefaade70c91bc: PE32+ executable (console) x86-64, for MS Windows alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.Agent outbound connection"; flow:to_server,established; content:"/main.php?t="; http_uri; content:"&type=info"; http_uri; fast_pattern:only; content:"&f=s"; http_uri; content:"&id="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000378; rev:1;) # -------------------- # Date: 2018-10-23 # Title: Win.Trojan.Micropsia # Reference: Research # Tests: pcap + sandbox # Yara: # - MALWARE_Win_Trojan_Micropsia # ClamAV: # - MALWARE_Win.Trojan.Micropsia-1 # - MALWARE_Win.Trojan.Micropsia-2 # Hashes: # - 0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1 # - 027b1042621f86394fd7da27c5310e4906f41b96f6e5474875e63d39b32a9c11 # - 0d05f333f1ce2567eb8f42f7a9098a7e044b1cccac9133d65872445608c89665 # - 228ea63f4f03e98aae13fafc4d850f7cdd6344fa824427f7ec42f31a2ae8345d # - 3522805eba6bf69f801028252985bd71437875db051c2ed2c8d9f40cefc86edb # - 368845729255ab7fcfb5c0b6c153929d5ccb8d1f9a40cc02ca7c026b4b6813ec # - 370f8196b9351289796df63d927e496107d3d6af26272bddf769721beee7de91 # - 5bab8a360d1d08e37e4e6c052f7fce13a291ad9b99f950770a647222bfc4d6b4 # - 75329e7b79284f63c1383244b20fb0d9c4bb1e9c4feba04307f1223db30c9203 # - 9cb5ef0b17eea1a43d5d323277e08645574c53ab1f65b0031a6fc323f52b0079 # - b60bca59de9c7f9c796de3e5c3a1466c0929c7355f4db8c59548af357777e59b # - b6f8b5ba026af863e878eded79f40e5efa1dd7ce725cd0479e5f062dbf4fdd4f # - c4e79e151986dc5e16ce763321de90d8c214909df7210ec05e590c4375423a76 # - dd185667015d23438a994adc9e9b30572a1e7479c05f563e0b6c71b8c6023685 # - e326d427695efc1f1eea5f86b545d16b46b45ef3cc0151e22d8a583f391571a9 # - e477b5e00699a9ccb3868de543c29087042fd44c631f8fcda5faaf7922382146 # - effa0e01adad08ae4bc787678ce67510d013a06d1a10d39ec6b19e2449e25fbd # - f70681c7e8ab419fd0938802a823337abad936cccc0ace9ee232f2b874e561f1 # - fb95a719c4b26bb577cea5837cac6ba9fdfcfd240bc2fc7b1d0759bf392d5191 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant infection report outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; content:"-Embt-Boundary-"; fast_pattern; http_client_body; content:"::Windows"; within:1000; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000379; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant screenshot exfiltration outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"-Embt-Boundary-"; http_header; fast_pattern:only; content:"Accept: image/"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000380; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant heartbeat outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/"; http_uri; content:"Googlebot"; http_header; fast_pattern:only; content:"-Embt-Boundary-"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; content:"-Embt-Boundary-"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000381; rev:1;) # -------------------- # Date: 2018-07-25, Updated: 2018-10-23 # Title: AgentTesla SMTP Exfil. # Reference: Research # Test: pcap + sandbox # Yara: # - MALWARE_Win_Keylogger_AgentTesla # ClamAv: # - MALWARE_Win.Keylogger.AgentTesla-1 # - MALWARE_Win.Keylogger.AgentTesla-2 # - MALWARE_Win.Keylogger.AgentTesla-3 # Hashes: # - 030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e # - 0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e # - b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92 # - 4827ceccbdd20c966bdaa3648f67cb82f319bcbc1766dd134c4fac3f5483179e # - Updated: # - 0676b96e49d703a5d09f4b42d108a725603f17da080fc8a7a182bf63eac0ec39 # - 4aa0b4fb7554a5dbaca53bcdc3bc6f69fd1772d444d29c5513bc95d2b49c1c97 # - 4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385 # - 58fe2c7eddb9e31a670eee8397031608f6f1bb30dc1b92df6565551f0118599c # - 5a5d5b0c3917a59751c4c8404f9711b07395f058a29187fc3a37c2db94a0cc64 # - 64d85ae3f57011ed0b6795712ec436c1ad85c6775fb00c71a1bec6d379950484 # - 869799260e8fe99eca1de03f9baf4de1388de7f7ef41fb70eb03c9cd56dc6e24 # - 97b42e993ec5a3a94e684a12e231cba6a67fab8ff5aa2e4be1ba15a01f015784 # - 98939aa778b7528b635c5336dfd9d7a3ca292de233c2866e50408af34b211921 # - a0b515b02f3e9a6a8738ba40dc2dbb6cecc375b0a69bf44b4a33a7daafeac29a # - a8605e3124ea7db12ae794943e1aeeeadb9c8563a81be4060d95f9d370d9fbf9 # - c3521771621a724196f6b89fb3ed9fd1c1567dd0157d11a2c060b41128f7cbb9 # - c36a1a233fe7b9a4ef5418000825636bd67c6582a7215a9a82ea863374805ab9 # - d21242ac305be4cbb3ea072ddfe56be87965ea37a1d85808cee1926018c44395 # - e21cc93868d9a1126bc7563a56387477ac9aece7dcc7c17dbd4f0c0c1848a886 # - f2968fc4d637bc878207c704b7984014cc9a04f468d8242576fe9bf7a4d57659 # Notes: # - CVE-2017-11882 > opendir(s) > dropped binary. # - opendirs(s) files dumpped (see screenshots). # - the "test.doc" is also a CVE-2017-11882. # - operated by "operations[at]tms-tamkers[.]com" # - sid 8000207 was utterly wrong, fixed in rev:2. alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:"Passwords Recovered From: "; within:150; fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000207; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:"Screen Capture From: "; within:150; fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000382; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 016 Y M via Snort-sigs (Oct 25)
- Re: Multiple signatures 016 Marcos Rodriguez (Oct 25)