Additional rules for detecting Emotet - Trickbot - IcedID banking malware

[Lenny Hansson <lenny () netcowboy dk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all
I have made some additional rules for detecting Emotet - Trickbot -
IcedID banking malware.

If you like them then feel free to use them. If you find false positives
please let me know.

(Trickbot Banking Malware - Network Collector Module)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Trickbot Banking
Malware - Network Collector Module - No alert";
flow:to_server,established; content:"User-Agent|3A 20|test"; nocase;
flowbits:set,NF-trickbot; flowbits:noalert;
reference:url,networkforensic.dk; metadata:26062018;
classtype:trojan-activity; sid:5025901; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Trickbot Banking
Malware - Network Collector Module"; flow:to_server,established;
content:"|2d 2d|Arasfjasu7"; fast_pattern; nocase; content:"|3d
22|proclist|22|"; content:"|3d 22|sysinfo|22|";
flowbits:isset,NF-trickbot; reference:url,networkforensic.dk;
metadata:26062018; classtype:trojan-activity; sid:5025902; rev:1;)

(Emotet Banking Malware - whoami lookups)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Emotet Banking
Malware - whoami - No Alert"; flow:to_server,established;
content:"/whoami.php"; depth:15; fast_pattern;
content:"Cache|2d|Control|3a 20|no|2d|cache"; flowbits:set,NF-twhoami;
flowbits:noalert; reference:url,networkforensic.dk; metadata:27062018;
classtype:trojan-activity; sid:5025903; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NF - Emotet Banking
Malware - whoami lookup"; flow:to_client,established; content:"|32 30 30
20 4f 4b|"; fast_pattern; content:"Connection|3a 20|keep|2d|alive";
flowbits:isset,NF-twhoami; reference:url,networkforensic.dk;
metadata:27062018; classtype:trojan-activity; sid:5025904; rev:1;)

(Emotet Banking Malware - IcedID payload download)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Emotet Banking
Malware - IcedID payload download - No alert";
flow:to_server,established; content:"GET"; depth:3; http_method;
pcre:"/\/[a-zA-Z0-9]{4,10}\//iU"; Content:"Connection|3a
20|Keep|2d|Alive"; nocase; flowbits:set,NF-IcedID; flowbits:noalert;
reference:url,networkforensic.dk; metadata:27062018;
classtype:trojan-activity; sid:5025905; rev:1;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Emotet Banking
Malware - IcedID payload download"; flow:from_server,established;
content:"200"; http_stat_code; content:"Cache|2d|Control|3a
20|no|2d|cache|2c 20|no|2d|store|2c 20|max|2d|age|3d|0|2c
20|must|2d|revalidate"; nocase; fast_pattern;
content:"Content|2d|Disposition|3a 20|attachment|3b 20|";
pcre:"/filename=\"[a-zA-Z0-9]{4,6}.exe\"/"; flowbits:isset,NF-IcedID;
reference:url,networkforensic.dk; metadata:27062018;
classtype:trojan-activity; sid:5025906; rev:1;)


- -- 
Best Regards
Lenny Hansson

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEIUF575YxtEl2qhSV0VN5xdrCBT0FAls0dWEACgkQ0VN5xdrC
BT36hQ//ZZuSWoSDKgVHHWHmLd/CLXE0oO4vqKqbhoA7lSP+3srrlNxJ8g7YR3NG
BU42B7vdlkBunXvKiCvxtOMRA0gq6pTh+IzT+Pqe7i7a2VwEUqUoJHIJZ6ucJvYp
CTQLeyTSnNn0ReB+0Xcm0n3nL4VqNfYp1BP01Fy4u3uRNbZzZ04GnYO4bKhNzq5h
QTUrH6LhfgghsxWNioTzyG32qaAaToSCIzEzh6MwuixGjpDq6VPBzrqL4z77qpii
1va4qWFBSdC7gu/tXwbCj/30LpWmjBclk7p5fMeOUnAcS+5UGvDqfEWmXybl8foc
rmBPzI7OOvhYR+Rj8GQFWItEbK2N6BCQcdjA6w/Dtl4qBOCOJRIE7jNx9drUufWZ
ZpmMqdHI4THbw+xtjda+ltNG7l2aHMSweBFCfvAscS/NXQeEe8Hk2MfCHaPNXQN+
36Y6nd54mauHSe2nQE5/VVFo9aSyZBdVgr+Lgos3nZnznNesUvIRu4NlNkahdl3s
T+Od6WhB5+fM/p63nyDtlUt27QHB7Sp2xwrs5NMIGJdZdQg0O0hEWgp3WIJRQCxu
y9XSINYplBE1Ll6O4k1TugB+HcBZOvm02f8phkDppXHvDaiU58iIVOao1QP/R6C7
OWSIRZ1/Y7axK3Gp7re4dMipq5KJReuq8po25h1w9dzhm3mlseU=
=WusN
-----END PGP SIGNATURE-----

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!