Dridex/Kryptik Pascal Library X-Mailer sig

[James Lay <jlay () slave-tothe-box net>]

Saw a fair bit of malicious emails with:

X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer

set.  These included this type of malicious link (brackets added):

meows://www.google[.]com/url?q=meows%3A%2F%2Fcopy[.]com%2FBmlHcclqSfe7COabPactDgg%2FWire_%2520transfer411A.zip%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNHGxjvBdYV5kCQpDyaS4LSYSl1pOA

These lead to badness:

https://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/
https://www.hybrid-analysis.com/search?query=d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43+

Below should catch this particular mailer:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible 
Malicious Email with Pascal TCP/IP library X-mailer"; 
flow:to_server,established; content:"X-mailer|3a| Synapse - Pascal 
TCP|2f|IP library by Lukas Gebauer"; fast_pattern:only; 
classtype:bad-unknown; sid:10000160; rev:1;)

James

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!