Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win.Trojan.Revenge RAT

From: Phillip Lee <phillile () sourcefire com>
Date: Thu, 22 Mar 2018 10:01:34 -0400
Dear Yaser,

This rule has been reviewed and added to the community ruleset (SID: 45961-45962).  The only modification made were:
1. First rule - fast_pattern:only content match longer
2. Second rule - remove 'dsize<12'

Thank you for your contribution.  

Sincerely,
Phil Lee
Cisco Talos


On Feb 20, 2018, at 8:21 AM, Y M <snort () outlook com> wrote:

Hi Phillip,

The pcap is attached. Archive password is infected.

Thanks. Have a good day
Yaser

From: Phillip Lee <phillile () sourcefire com>
Sent: Tuesday, February 20, 2018 3:15:12 PM
To: Y M
Cc: snort-sigs () lists snort org
Subject: Re: [Snort-sigs] Win.Trojan.Revenge RAT
 
Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Can you send along the pcaps that you have? 

Regards,
Phil Lee
Cisco Talos


On Feb 20, 2018, at 3:24 AM, Y M via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort 
org>> wrote:

Hi,

The below rules are for detecting the revenge rat. Pcaps for the below hashes are available.

79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a
14731a5222178aba49a88b88da3f3de63bdee5dcc766c453af4d32a05942c686
518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee
cf8a2495c95f1edf237ec8281b85e3ee127e2d15c8e5c6bebeb038e3e135134b
e7d4198bc93202434843459be2f8aff2a5effecf052e210b2d7df9ce55cca134
aeb64721415ebc354e81f8a90932a2b9708fe2907d749203678df6e91604336c
7b875f2fa6d638a8295af1ca88aaee6dd657ca31edddbfcc2fcaac1974d7c563
edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT outbound connection"; 
flow:to_server,established; content:"Information"; depth:11; content:"|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; 
metadata:ruleset community; classtype:trojan-activity; sid:9000039; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT inbound connection attempt"; 
flow:to_client,established; dsize:<12; content:"PNC|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:ruleset 
community; classtype:trojan-activity; sid:9000040; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
<https://snort.org/faq/what-is-the-mailing-list-etiquette>

Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads 
<https://snort.org/downloads/#rule-downloads>">emerging threats</a>!


<revengerat_cnc.zip>



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: