[Snort-sigs] Win.Torjan.NeutrinoPOS variant

Y M snort at outlook.com
Tue Apr 3 09:13:30 EDT 2018


Hi,


A pcap for this one is available.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker NeutrinoPOS variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&99="; http_uri; content:"&f1="; http_uri; content:"Accept-Charset|3A 20|"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity; sid:9000049; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker NeutrinoPOS variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&req="; http_uri; content:!"Connection"; http_header; content:"1="; within:3; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity; sid:9000050; rev:1;)


Thanks.

YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180403/657567c4/attachment-0001.html>


More information about the Snort-sigs mailing list