[Snort-sigs] Win.Trojan.Occamy

Y M snort at outlook.com
Mon Jun 11 15:06:37 EDT 2018


Hi,

A pcap is available for this one too.

# --------------------
# Date: 2018-06-11
# Title: Suspicious Self-signed Certificate
# Tests: pcap
# Reference: https://twitter.com/ClearskySec/status/1004749887966244865
# Hash: d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de
# Confidence: medium

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Occamy inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"some-state"; nocase; content:"some company"; nocase; metadata:ruleset community, service ssl; reference:url,www.virustotal.com/#/file/d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de/detection; classtype:trojan-activity; sid:8000117; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180611/43990a5a/attachment-0001.html>


More information about the Snort-sigs mailing list