[Snort-sigs] SID:23262

James Lay jlay at slave-tothe-box.net
Thu Dec 20 16:21:24 EST 2018


Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker variant outbound connection";
flow:to_server,established; content:"POST"; http_method; content:"|DE AD
BE EF|"; depth:4; fast_pattern; http_client_body; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service http;
reference:url,www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc
[1]; classtype:trojan-activity; sid:23262; rev:7;)

Hit:
12/20-19:12:09.783919  [**] [1:23262:7] MALWARE-CNC Win.Trojan.Banker
variant outbound connection [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} x.x.x.x:58410 -> 146.112.61.110:80

Looks like this could use some tlc....granted the iPhone app is rubbish:


User-Agent: Huuuge%20Casino/3.7.1181 CFNetwork/975.0.3 Darwin/18.2.0 

and interesting that indeed it does match de ad be ef, however I don't
think its the below: 

https://www.virustotal.com/#/file/fc198781ea61490878a80ab2bf1e6067e1e2a4c2f21e0717a6b4e473b3e5e0c7/detection


GETs and POSTs to: 
http://hbi-ingest[.]net/pcfK6gOAtE2kWQOL 

Thank you. 

James 

Links:
------
[1]
http://www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20181220/94b98ab3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-12-20 14_02_20-_web-146.112.61.110-Thu-2018-12-20--18-55-08.pcapng.png
Type: image/png
Size: 132500 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20181220/94b98ab3/attachment-0001.png>


More information about the Snort-sigs mailing list