Snort mailing list archives
Dridex sig
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 17 Jun 2015 08:49:36 -0600
Meh...keep seeing this base64 encoded WScript, so here's a sig: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Dridex WScript Download"; flow:established,to_server; content:"|2f|89172387|2e|txt"; http_uri; fast_pattern:only; reference:url,malwr.com/analysis/MGRmZmFmNjk1MTNlNDNhN2IwYzEyODFlNWY0ZDAxYmM; classtype:trojan-activity; sid:10000161; rev:1;) If you see this hit, someone on your network has just opened a Dridex word doc in an email. Sanity checked only. James ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Dridex sig James Lay (Jun 17)
- Re: [Emerging-Sigs] Dridex sig Joseph Feather (Jun 18)
- Re: [Emerging-Sigs] Dridex sig James Lay (Jun 17)
- Re: [Emerging-Sigs] Dridex sig Joseph Feather (Jun 18)