Snort mailing list archives
Dridex/Kryptik Pascal Library X-Mailer sig
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 21 May 2015 11:33:36 -0600
Saw a fair bit of malicious emails with: X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer set. These included this type of malicious link (brackets added): meows://www.google[.]com/url?q=meows%3A%2F%2Fcopy[.]com%2FBmlHcclqSfe7COabPactDgg%2FWire_%2520transfer411A.zip%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNHGxjvBdYV5kCQpDyaS4LSYSl1pOA These lead to badness: https://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/ https://www.hybrid-analysis.com/search?query=d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43+ Below should catch this particular mailer: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible Malicious Email with Pascal TCP/IP library X-mailer"; flow:to_server,established; content:"X-mailer|3a| Synapse - Pascal TCP|2f|IP library by Lukas Gebauer"; fast_pattern:only; classtype:bad-unknown; sid:10000160; rev:1;) James ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Dridex/Kryptik Pascal Library X-Mailer sig James Lay (May 21)
- Re: Dridex/Kryptik Pascal Library X-Mailer sig Matthew Mickel (May 26)
- Re: Dridex/Kryptik Pascal Library X-Mailer sig Matt Mickel (Jun 19)