SID:23262

[James Lay via Snort-sigs <snort-sigs () lists snort org>]

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker variant outbound connection";
flow:to_server,established; content:"POST"; http_method; content:"|DE AD
BE EF|"; depth:4; fast_pattern; http_client_body; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service http;
reference:url,www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc
[1]; classtype:trojan-activity; sid:23262; rev:7;)

Hit:
12/20-19:12:09.783919  [**] [1:23262:7] MALWARE-CNC Win.Trojan.Banker
variant outbound connection [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} x.x.x.x:58410 -> 146.112.61.110:80

Looks like this could use some tlc....granted the iPhone app is rubbish:


User-Agent: Huuuge%20Casino/3.7.1181 CFNetwork/975.0.3 Darwin/18.2.0 

and interesting that indeed it does match de ad be ef, however I don't
think its the below: 

https://www.virustotal.com/#/file/fc198781ea61490878a80ab2bf1e6067e1e2a4c2f21e0717a6b4e473b3e5e0c7/detection


GETs and POSTs to: 
http://hbi-ingest[.]net/pcfK6gOAtE2kWQOL 

Thank you. 

James 

Links:
------
[1]
http://www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!