[Snort-sigs] Dridex/Kryptik Pascal Library X-Mailer sig

James Lay jlay at ...3266...
Thu May 21 13:33:36 EDT 2015


Saw a fair bit of malicious emails with:

X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer

set.  These included this type of malicious link (brackets added):

meows://www.google[.]com/url?q=meows%3A%2F%2Fcopy[.]com%2FBmlHcclqSfe7COabPactDgg%2FWire_%2520transfer411A.zip%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNHGxjvBdYV5kCQpDyaS4LSYSl1pOA

These lead to badness:

https://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/
https://www.hybrid-analysis.com/search?query=d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43+

Below should catch this particular mailer:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible 
Malicious Email with Pascal TCP/IP library X-mailer"; 
flow:to_server,established; content:"X-mailer|3a| Synapse - Pascal 
TCP|2f|IP library by Lukas Gebauer"; fast_pattern:only; 
classtype:bad-unknown; sid:10000160; rev:1;)

James




More information about the Snort-sigs mailing list