[Snort-sigs] Suspicious DNS rule

James Lay jlay at slave-tothe-box.net
Tue Jul 31 13:16:56 EDT 2018


So ok....I got three samples, two agent telsa, one formbook, all exhibit
the following: 

list of samples on any_run: 

https://app.any.run/tasks/33d3e229-fba7-476b-8ec9-7464eacb1ca3
https://app.any.run/tasks/6d9371e7-249b-47d1-bbbb-cf66dd34e30b
https://app.any.run/tasks/065b87cb-a6d3-4dc7-a06f-a893281b4263 

these request show up funky: 

my only guess is a specific packer is calling out as the three samples
are all .NET.  Anyway sig below: 

alert udp $HOME_NET any -> any 53 (msg:"Suspicious DNS Request";
content:"|01 00 00 01 00 00 00 00 00 00 02 ca b1 03 6f 72 67 00|";
fast_pattern:only; classtype:trojan-activity; sid:XXXXXX; rev:1;
metadata:created_at 2018_07_31;) 

if someone has any more insight I'd love to know what this really is. 
Thank you. 

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180731/bc40988a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-07-31 11_11_39-dns.pcap.png
Type: image/png
Size: 31420 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180731/bc40988a/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-07-31 11_13_39-kestDP.exe (MD5_ 894BAB66E3F7408C6FD118165D63E03F) - Interactive analysis - ANY..png
Type: image/png
Size: 2963 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180731/bc40988a/attachment-0003.png>


More information about the Snort-sigs mailing list