Snort mailing list archives
Re: Multiple signatures 016
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Thu, 25 Oct 2018 13:43:18 -0400
On Thu, Oct 25, 2018 at 11:32 AM Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
Hi, Hope all sig makers are doing great today. Pcaps and Yara/ClamAV signatures are available for all of the cases below. Thank you. # -------------------- # Date: 2018-10-06 # Title: ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545) # Reference: Triage from: https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/ # Tests: pcap # Yara: # - TOOL_PWS_LaZagne # ClamAV: # - TOOL.PWS.LaZagne # Hashes: # - cb197616e12daff971b86544eb06554583e95b137b69a4b7cbe83c7de2a38948 # - 29eadfb89fa2af7567f34b20778c1dc2a1be2f5b8aa84f642da0291a68de32d0 # - 1c963f531b1870f8edffcc9a9a96019c296801f69ea0a9dda555d91cf791a837 # - 2c90585b53a28a3413099c94c38f250ca5b17f72ddf6a4e346421eb0a6bdd881 # - 82cbdd4822630e179b685733490dc61db4761151656e1663ab91430f32ce86b6 # - 0e1320fd39174b14b7e817491d5e95807e66226d60659a07eb0e4bdedb06bea1 # Notes: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader / ZeroEvil variant outbound connection"; flow:to_server,established; content:"/logs_gate.php?plugin="; fast_pattern:only; http_uri; content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000373; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound connection"; flow:to_server,established; content:"/plugin_gate.php?plugin="; fast_pattern:only; http_uri; content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000374; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant / ZeroEvil outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"version="; http_client_body; fast_pattern; content:!"Referer"; http_header; pcre:"/version\x3d([0-9]{3}\x255F)+/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000375; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound connection"; flow:to_server,established; content:"/screenshot_gate.php?hwid="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000376; rev:1;) # -------------------- # Date: 2018-10-10 # Title: MuddyWater # Reference: Triage from: # - https://s.tencent.com/research/report/509.html # - https://securelist.com/muddywater/88059/ # Tests: pcap # Yara: # - FILE_OFFICE_OLE_Dropper_Doc # - TOOL_CNC_Shootback # - TOOL_PWS_Credstealer # ClamAV: # - FILE_OFFICE.OLE.Dropper.Doc # - TOOL_PWS.Credstealer # - TOOL_CNC.Shootback # - Doc.Dropper.Agent-HSB1 # - Doc.Dropper.Agent-HSB2 # - Doc.Dropper.Agent-HSB3 # - Doc.Dropper.Agent-HSB4 # Hashes: # - 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0: Composite Document File V2 Document # - 153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58: Composite Document File V2 Document # - 18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6: Composite Document File V2 Document # - 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd: Composite Document File V2 Document # - 209fb398318a0d346b933b0c408467fce8dea36c10cd0f69ce4b342e28cee9dc: Composite Document File V2 Document # - 2a49d29d58d4d962bee5430e40f488bb79ebab92cf13db5bb4708f3eaf95caed: Composite Document File V2 Document # - 2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13: Composite Document File V2 Document # - 38556ba0b512636006c00b51f24ac92755bd1f1b21b4ae1812abf6bf9543221e: Composite Document File V2 Document # - 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb: Composite Document File V2 Document # - 3eb27ecfbe5381b9cf4dcba2486e9773d9893b92c95032be784e0d2198740539: Composite Document File V2 Document # - 3f14a1210d1f2cdb916275bf32cb49159b6f49a54f246bdcb0e967cd0edb8e82: Composite Document File V2 Document # - 40ffcbf044ec951242a92a09b6a239183def2e74fc18e5975fa70e849d875a2e: Composite Document File V2 Document # - 41a32a19c78a542ab4d0701c31d9ef6c7f019c9bc604ab9415f4790b7ac6c591: Composite Document File V2 Document # - 5c7d16bd89ef37fe02cac1851e7214a01636ee4061a80bfdbde3a2d199721a79: Composite Document File V2 Document # - 5f2a6601d349af00a4cc101a638003af2f330879c333168cbf6a7a123dfb3928: Composite Document File V2 Document # - 6a68e8b12960257621cb89f979c1fbbd0f13c2338fad0f64e133deb95c99b2f9: Composite Document File V2 Document # - 707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024: Composite Document File V2 Document # - 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338: Composite Document File V2 Document # - 818253f297fea7d8a2324ee1a233aabbaf3b0b4b9cdaa1ebd676fe00f2247388: PE32+ executable (console) x86-64, for MS Windows # - 9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c: Composite Document File V2 Document # - 94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad: Composite Document File V2 Document # - abc269676eab9cf71f4f00195d1be02c10ea5bfb383fa1396dc108e0f6f9b9be: Composite Document File V2 Document # - b9c70adbc731b1b2779ab35bb0fab29ae703e2a4a7214c5e2749b02daf326a9b: Composite Document File V2 Document # - bbcafdb4fd7bf107d8b85934286d531536b7a0a30e5eeed07e27f0f7afcf8a77: Composite Document File V2 Document # - bfb4fc96c1ba657107c7c60845f6ab720634c8a9214943b5221378a37a8916cd: Composite Document File V2 Document # - c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9: Composite Document File V2 Document # - eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894: Composite Document File V2 Document # - f2f573af0f76fe0f21bbe630a4bb50b1c1836eb24429bfb8c93673276f27e374: Composite Document File V2 Document # - f6707b5f41192353be3311fc7f48ee30465038366386b909e6cefaade70c91bc: PE32+ executable (console) x86-64, for MS Windows alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.Agent outbound connection"; flow:to_server,established; content:"/main.php?t="; http_uri; content:"&type=info"; http_uri; fast_pattern:only; content:"&f=s"; http_uri; content:"&id="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000378; rev:1;) # -------------------- # Date: 2018-10-23 # Title: Win.Trojan.Micropsia # Reference: Research # Tests: pcap + sandbox # Yara: # - MALWARE_Win_Trojan_Micropsia # ClamAV: # - MALWARE_Win.Trojan.Micropsia-1 # - MALWARE_Win.Trojan.Micropsia-2 # Hashes: # - 0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1 # - 027b1042621f86394fd7da27c5310e4906f41b96f6e5474875e63d39b32a9c11 # - 0d05f333f1ce2567eb8f42f7a9098a7e044b1cccac9133d65872445608c89665 # - 228ea63f4f03e98aae13fafc4d850f7cdd6344fa824427f7ec42f31a2ae8345d # - 3522805eba6bf69f801028252985bd71437875db051c2ed2c8d9f40cefc86edb # - 368845729255ab7fcfb5c0b6c153929d5ccb8d1f9a40cc02ca7c026b4b6813ec # - 370f8196b9351289796df63d927e496107d3d6af26272bddf769721beee7de91 # - 5bab8a360d1d08e37e4e6c052f7fce13a291ad9b99f950770a647222bfc4d6b4 # - 75329e7b79284f63c1383244b20fb0d9c4bb1e9c4feba04307f1223db30c9203 # - 9cb5ef0b17eea1a43d5d323277e08645574c53ab1f65b0031a6fc323f52b0079 # - b60bca59de9c7f9c796de3e5c3a1466c0929c7355f4db8c59548af357777e59b # - b6f8b5ba026af863e878eded79f40e5efa1dd7ce725cd0479e5f062dbf4fdd4f # - c4e79e151986dc5e16ce763321de90d8c214909df7210ec05e590c4375423a76 # - dd185667015d23438a994adc9e9b30572a1e7479c05f563e0b6c71b8c6023685 # - e326d427695efc1f1eea5f86b545d16b46b45ef3cc0151e22d8a583f391571a9 # - e477b5e00699a9ccb3868de543c29087042fd44c631f8fcda5faaf7922382146 # - effa0e01adad08ae4bc787678ce67510d013a06d1a10d39ec6b19e2449e25fbd # - f70681c7e8ab419fd0938802a823337abad936cccc0ace9ee232f2b874e561f1 # - fb95a719c4b26bb577cea5837cac6ba9fdfcfd240bc2fc7b1d0759bf392d5191 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant infection report outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; content:"-Embt-Boundary-"; fast_pattern; http_client_body; content:"::Windows"; within:1000; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000379; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant screenshot exfiltration outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"-Embt-Boundary-"; http_header; fast_pattern:only; content:"Accept: image/"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000380; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant heartbeat outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/"; http_uri; content:"Googlebot"; http_header; fast_pattern:only; content:"-Embt-Boundary-"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; content:"-Embt-Boundary-"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000381; rev:1;) # -------------------- # Date: 2018-07-25, Updated: 2018-10-23 # Title: AgentTesla SMTP Exfil. # Reference: Research # Test: pcap + sandbox # Yara: # - MALWARE_Win_Keylogger_AgentTesla # ClamAv: # - MALWARE_Win.Keylogger.AgentTesla-1 # - MALWARE_Win.Keylogger.AgentTesla-2 # - MALWARE_Win.Keylogger.AgentTesla-3 # Hashes: # - 030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e # - 0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e # - b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92 # - 4827ceccbdd20c966bdaa3648f67cb82f319bcbc1766dd134c4fac3f5483179e # - Updated: # - 0676b96e49d703a5d09f4b42d108a725603f17da080fc8a7a182bf63eac0ec39 # - 4aa0b4fb7554a5dbaca53bcdc3bc6f69fd1772d444d29c5513bc95d2b49c1c97 # - 4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385 # - 58fe2c7eddb9e31a670eee8397031608f6f1bb30dc1b92df6565551f0118599c # - 5a5d5b0c3917a59751c4c8404f9711b07395f058a29187fc3a37c2db94a0cc64 # - 64d85ae3f57011ed0b6795712ec436c1ad85c6775fb00c71a1bec6d379950484 # - 869799260e8fe99eca1de03f9baf4de1388de7f7ef41fb70eb03c9cd56dc6e24 # - 97b42e993ec5a3a94e684a12e231cba6a67fab8ff5aa2e4be1ba15a01f015784 # - 98939aa778b7528b635c5336dfd9d7a3ca292de233c2866e50408af34b211921 # - a0b515b02f3e9a6a8738ba40dc2dbb6cecc375b0a69bf44b4a33a7daafeac29a # - a8605e3124ea7db12ae794943e1aeeeadb9c8563a81be4060d95f9d370d9fbf9 # - c3521771621a724196f6b89fb3ed9fd1c1567dd0157d11a2c060b41128f7cbb9 # - c36a1a233fe7b9a4ef5418000825636bd67c6582a7215a9a82ea863374805ab9 # - d21242ac305be4cbb3ea072ddfe56be87965ea37a1d85808cee1926018c44395 # - e21cc93868d9a1126bc7563a56387477ac9aece7dcc7c17dbd4f0c0c1848a886 # - f2968fc4d637bc878207c704b7984014cc9a04f468d8242576fe9bf7a4d57659 # Notes: # - CVE-2017-11882 > opendir(s) > dropped binary. # - opendirs(s) files dumpped (see screenshots). # - the "test.doc" is also a CVE-2017-11882. # - operated by "operations[at]tms-tamkers[.]com" # - sid 8000207 was utterly wrong, fixed in rev:2. alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:"Passwords Recovered From: "; within:150; fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000207; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:"Screen Capture From: "; within:150; fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000382; rev:1;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Hi Yaser, Thanks for these submissions, we'll get these into our testing process and get back to you as soon as possible. We'd appreciate any pcaps you'd be willing to share. Thanks again! -- Marcos Rodriguez Cisco Talos _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 016 Y M via Snort-sigs (Oct 25)
- Re: Multiple signatures 016 Marcos Rodriguez (Oct 25)