[Snort-sigs] Win.Trojan.Revenge RAT

Y M snort at outlook.com
Tue Feb 20 03:24:09 EST 2018


Hi,


The below rules are for detecting the revenge rat. Pcaps for the below hashes are available.


79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a
14731a5222178aba49a88b88da3f3de63bdee5dcc766c453af4d32a05942c686
518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee
cf8a2495c95f1edf237ec8281b85e3ee127e2d15c8e5c6bebeb038e3e135134b
e7d4198bc93202434843459be2f8aff2a5effecf052e210b2d7df9ce55cca134
aeb64721415ebc354e81f8a90932a2b9708fe2907d749203678df6e91604336c
7b875f2fa6d638a8295af1ca88aaee6dd657ca31edddbfcc2fcaac1974d7c563
edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT outbound connection"; flow:to_server,established; content:"Information"; depth:11; content:"|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:9000039; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT inbound connection attempt"; flow:to_client,established; dsize:<12; content:"PNC|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:9000040; rev:1;)


Thanks.

YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180220/c4eb8b11/attachment.html>


More information about the Snort-sigs mailing list