[Snort-sigs] Win.Trojan.Revenge RAT

Phillip Lee phillile at sourcefire.com
Thu Mar 22 10:01:34 EDT 2018


Dear Yaser,

This rule has been reviewed and added to the community ruleset (SID: 45961-45962).  The only modification made were:
1. First rule - fast_pattern:only content match longer
2. Second rule - remove 'dsize<12'

Thank you for your contribution.  

Sincerely,
Phil Lee
Cisco Talos

> On Feb 20, 2018, at 8:21 AM, Y M <snort at outlook.com> wrote:
> 
> Hi Phillip,
> 
> The pcap is attached. Archive password is infected.
> 
> Thanks. Have a good day
> Yaser
> 
> From: Phillip Lee <phillile at sourcefire.com>
> Sent: Tuesday, February 20, 2018 3:15:12 PM
> To: Y M
> Cc: snort-sigs at lists.snort.org
> Subject: Re: [Snort-sigs] Win.Trojan.Revenge RAT
>  
> Yaser,
> 
> Thanks for your submission. We will review the rules and get back to you when they're finished. 
> 
> Can you send along the pcaps that you have? 
> 
> Regards,
> Phil Lee
> Cisco Talos
> 
>> On Feb 20, 2018, at 3:24 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org <mailto:snort-sigs at lists.snort.org>> wrote:
>> 
>> Hi,
>> 
>> The below rules are for detecting the revenge rat. Pcaps for the below hashes are available.
>> 
>> 79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a
>> 14731a5222178aba49a88b88da3f3de63bdee5dcc766c453af4d32a05942c686
>> 518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee
>> cf8a2495c95f1edf237ec8281b85e3ee127e2d15c8e5c6bebeb038e3e135134b
>> e7d4198bc93202434843459be2f8aff2a5effecf052e210b2d7df9ce55cca134
>> aeb64721415ebc354e81f8a90932a2b9708fe2907d749203678df6e91604336c
>> 7b875f2fa6d638a8295af1ca88aaee6dd657ca31edddbfcc2fcaac1974d7c563
>> edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT outbound connection"; flow:to_server,established; content:"Information"; depth:11; content:"|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:9000039; rev:1;)
>> 
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT inbound connection attempt"; flow:to_client,established; dsize:<12; content:"PNC|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:9000040; rev:1;)
>> 
>> Thanks.
>> YM
>> 
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
>> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>> 
>> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>> 
>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>> 
>> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
> 
> <revengerat_cnc.zip>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180322/e8bb095d/attachment-0001.html>


More information about the Snort-sigs mailing list