Snort mailing list archives
Additional rules for detecting Emotet - Trickbot - IcedID banking malware
From: Lenny Hansson <lenny () netcowboy dk>
Date: Thu, 28 Jun 2018 07:43:04 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all I have made some additional rules for detecting Emotet - Trickbot - IcedID banking malware. If you like them then feel free to use them. If you find false positives please let me know. (Trickbot Banking Malware - Network Collector Module) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Trickbot Banking Malware - Network Collector Module - No alert"; flow:to_server,established; content:"User-Agent|3A 20|test"; nocase; flowbits:set,NF-trickbot; flowbits:noalert; reference:url,networkforensic.dk; metadata:26062018; classtype:trojan-activity; sid:5025901; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Trickbot Banking Malware - Network Collector Module"; flow:to_server,established; content:"|2d 2d|Arasfjasu7"; fast_pattern; nocase; content:"|3d 22|proclist|22|"; content:"|3d 22|sysinfo|22|"; flowbits:isset,NF-trickbot; reference:url,networkforensic.dk; metadata:26062018; classtype:trojan-activity; sid:5025902; rev:1;) (Emotet Banking Malware - whoami lookups) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Emotet Banking Malware - whoami - No Alert"; flow:to_server,established; content:"/whoami.php"; depth:15; fast_pattern; content:"Cache|2d|Control|3a 20|no|2d|cache"; flowbits:set,NF-twhoami; flowbits:noalert; reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025903; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NF - Emotet Banking Malware - whoami lookup"; flow:to_client,established; content:"|32 30 30 20 4f 4b|"; fast_pattern; content:"Connection|3a 20|keep|2d|alive"; flowbits:isset,NF-twhoami; reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025904; rev:1;) (Emotet Banking Malware - IcedID payload download) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Emotet Banking Malware - IcedID payload download - No alert"; flow:to_server,established; content:"GET"; depth:3; http_method; pcre:"/\/[a-zA-Z0-9]{4,10}\//iU"; Content:"Connection|3a 20|Keep|2d|Alive"; nocase; flowbits:set,NF-IcedID; flowbits:noalert; reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025905; rev:1;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Emotet Banking Malware - IcedID payload download"; flow:from_server,established; content:"200"; http_stat_code; content:"Cache|2d|Control|3a 20|no|2d|cache|2c 20|no|2d|store|2c 20|max|2d|age|3d|0|2c 20|must|2d|revalidate"; nocase; fast_pattern; content:"Content|2d|Disposition|3a 20|attachment|3b 20|"; pcre:"/filename=\"[a-zA-Z0-9]{4,6}.exe\"/"; flowbits:isset,NF-IcedID; reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025906; rev:1;) - -- Best Regards Lenny Hansson -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEIUF575YxtEl2qhSV0VN5xdrCBT0FAls0dWEACgkQ0VN5xdrC BT36hQ//ZZuSWoSDKgVHHWHmLd/CLXE0oO4vqKqbhoA7lSP+3srrlNxJ8g7YR3NG BU42B7vdlkBunXvKiCvxtOMRA0gq6pTh+IzT+Pqe7i7a2VwEUqUoJHIJZ6ucJvYp CTQLeyTSnNn0ReB+0Xcm0n3nL4VqNfYp1BP01Fy4u3uRNbZzZ04GnYO4bKhNzq5h QTUrH6LhfgghsxWNioTzyG32qaAaToSCIzEzh6MwuixGjpDq6VPBzrqL4z77qpii 1va4qWFBSdC7gu/tXwbCj/30LpWmjBclk7p5fMeOUnAcS+5UGvDqfEWmXybl8foc rmBPzI7OOvhYR+Rj8GQFWItEbK2N6BCQcdjA6w/Dtl4qBOCOJRIE7jNx9drUufWZ ZpmMqdHI4THbw+xtjda+ltNG7l2aHMSweBFCfvAscS/NXQeEe8Hk2MfCHaPNXQN+ 36Y6nd54mauHSe2nQE5/VVFo9aSyZBdVgr+Lgos3nZnznNesUvIRu4NlNkahdl3s T+Od6WhB5+fM/p63nyDtlUt27QHB7Sp2xwrs5NMIGJdZdQg0O0hEWgp3WIJRQCxu y9XSINYplBE1Ll6O4k1TugB+HcBZOvm02f8phkDppXHvDaiU58iIVOao1QP/R6C7 OWSIRZ1/Y7axK3Gp7re4dMipq5KJReuq8po25h1w9dzhm3mlseU= =WusN -----END PGP SIGNATURE----- _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Additional rules for detecting Emotet - Trickbot - IcedID banking malware Lenny Hansson (Jun 29)