[Snort-sigs] Vbs.Downloader.Valyria

Y M snort at outlook.com
Fri May 25 14:51:14 EDT 2018


Hi,

I have seen this in documents with vbs, which ultimately use PowerShell to download the next stage payload. The PowerShell uses a "random" user-agent with a specific pattern. Instead of hardcoding the user-agent per rule, pcre was used, though the rule can be considered weak. A pcap is available for this one.

# --------------------
# Date: 2018-05-24
# Title: Vbs.Downloader.Valyria
# Tests: pcap
# Reference: https://www.virustotal.com/#/file/7f3ead05a2ad90e342f0079274774d31c2dc9e84517f945f5e4f9f09f24a74e2/detection, https://www.virustotal.com/#/file/383800c26a0656930cd5ecf6ee102748c130b5a61578dcea5329280a70528e40/detection, https://www.virustotal.com/#/file/56b1b50f53fedffa04efb965bb7f6297e1cb34d9d4086e1ea3973f84a48ac0c3/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Downloader.Valyria known malicious user-agent"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: "; http_header; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; pcre:"/User-Agent\x3a\x20[A-Z0-9]{5}/H"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/7f3ead05a2ad90e342f0079274774d31c2dc9e84517f945f5e4f9f09f24a74e2/detection; reference:url,www.virustotal.com/#/file/383800c26a0656930cd5ecf6ee102748c130b5a61578dcea5329280a70528e40/detection; classtype:trojan-activity; sid:8000061; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180525/efe0a571/attachment-0001.html>


More information about the Snort-sigs mailing list