Snort mailing list archives
Re: Additional rules for detecting Emotet - Trickbot - IcedID banking malware
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 3 Jul 2018 12:05:07 -0400
On Thu, Jun 28, 2018 at 1:43 AM, Lenny Hansson <lenny () netcowboy dk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all I have made some additional rules for detecting Emotet - Trickbot - IcedID banking malware. If you like them then feel free to use them. If you find false positives please let me know. (Trickbot Banking Malware - Network Collector Module) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Trickbot Banking Malware - Network Collector Module - No alert"; flow:to_server,established; content:"User-Agent|3A 20|test"; nocase; flowbits:set,NF-trickbot; flowbits:noalert; reference:url,networkforensic.dk; metadata:26062018; classtype:trojan-activity; sid:5025901; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Trickbot Banking Malware - Network Collector Module"; flow:to_server,established; content:"|2d 2d|Arasfjasu7"; fast_pattern; nocase; content:"|3d 22|proclist|22|"; content:"|3d 22|sysinfo|22|"; flowbits:isset,NF-trickbot; reference:url,networkforensic.dk; metadata:26062018; classtype:trojan-activity; sid:5025902; rev:1;) (Emotet Banking Malware - whoami lookups) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Emotet Banking Malware - whoami - No Alert"; flow:to_server,established; content:"/whoami.php"; depth:15; fast_pattern; content:"Cache|2d|Control|3a 20|no|2d|cache"; flowbits:set,NF-twhoami; flowbits:noalert; reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025903; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NF - Emotet Banking Malware - whoami lookup"; flow:to_client,established; content:"|32 30 30 20 4f 4b|"; fast_pattern; content:"Connection|3a 20|keep|2d|alive"; flowbits:isset,NF-twhoami; reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025904; rev:1;) (Emotet Banking Malware - IcedID payload download) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Emotet Banking Malware - IcedID payload download - No alert"; flow:to_server,established; content:"GET"; depth:3; http_method; pcre:"/\/[a-zA-Z0-9]{4,10}\//iU"; Content:"Connection|3a 20|Keep|2d|Alive"; nocase; flowbits:set,NF-IcedID; flowbits:noalert; reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025905; rev:1;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Emotet Banking Malware - IcedID payload download"; flow:from_server,established; content:"200"; http_stat_code; content:"Cache|2d|Control|3a 20|no|2d|cache|2c 20|no|2d|store|2c 20|max|2d|age|3d|0|2c 20|must|2d|revalidate"; nocase; fast_pattern; content:"Content|2d|Disposition|3a 20|attachment|3b 20|"; pcre:"/filename=\"[a-zA-Z0-9]{4,6}.exe\"/"; flowbits:isset,NF-IcedID; reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025906; rev:1;) - -- Best Regards Lenny Hansson
Hi Lenny, Thanks for these submissions. We will review each of them and get back to you when finished. -- Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Additional rules for detecting Emotet - Trickbot - IcedID banking malware Marcos Rodriguez (Jul 03)