Snort mailing list archives
SID:23262
From: James Lay via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 20 Dec 2018 14:21:24 -0700
Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"|DE AD BE EF|"; depth:4; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc [1]; classtype:trojan-activity; sid:23262; rev:7;) Hit: 12/20-19:12:09.783919 [**] [1:23262:7] MALWARE-CNC Win.Trojan.Banker variant outbound connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} x.x.x.x:58410 -> 146.112.61.110:80 Looks like this could use some tlc....granted the iPhone app is rubbish: User-Agent: Huuuge%20Casino/3.7.1181 CFNetwork/975.0.3 Darwin/18.2.0 and interesting that indeed it does match de ad be ef, however I don't think its the below: https://www.virustotal.com/#/file/fc198781ea61490878a80ab2bf1e6067e1e2a4c2f21e0717a6b4e473b3e5e0c7/detection GETs and POSTs to: http://hbi-ingest[.]net/pcfK6gOAtE2kWQOL Thank you. James Links: ------ [1] http://www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- SID:23262 James Lay via Snort-sigs (Dec 20)