[Snort-sigs] Dridex/Kryptik Pascal Library X-Mailer sig

Matthew Mickel mmickel at ...435...
Tue May 26 10:54:40 EDT 2015


Hi, James-

Thanks for your submission.  I'll put the rule through our regular testing
process and get back to you when it's finished.  Best,

Matt Mickel

On Thu, May 21, 2015 at 1:33 PM, James Lay <jlay at ...3266...> wrote:

> Saw a fair bit of malicious emails with:
>
> X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer
>
> set.  These included this type of malicious link (brackets added):
>
>
> meows://www.google[.]com/url?q=meows%3A%2F%2Fcopy[.]com%2FBmlHcclqSfe7COabPactDgg%2FWire_%2520transfer411A.zip%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNHGxjvBdYV5kCQpDyaS4LSYSl1pOA
>
> These lead to badness:
>
>
> https://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/
>
> https://www.hybrid-analysis.com/search?query=d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43+
>
> Below should catch this particular mailer:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible
> Malicious Email with Pascal TCP/IP library X-mailer";
> flow:to_server,established; content:"X-mailer|3a| Synapse - Pascal
> TCP|2f|IP library by Lukas Gebauer"; fast_pattern:only;
> classtype:bad-unknown; sid:10000160; rev:1;)
>
> James
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150526/8219f93e/attachment.html>


More information about the Snort-sigs mailing list