Hi,

Hope all is well. This post is a bit long, thanks for reading! One of the samples below is signed with a fake certificate that is issued by and has the CN of "ClamAV". 

Detection content for the majority of the cases below is available.

Thanks.
YM

# --------------------
# Title: Kuwait Oil Themed Malware Targeting Industry
# Reference: http://www.malcrawler.com/kuwait-oil-themed-malware-targeting-industry/
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_Gh0st_Plugx_1
#   - MALWARE_Win_Trojan_Gh0st_Plugx_2
#   - MALWARE_Win_Trojan_Gh0st_Plugx_DotNET
#   - MALWARE_Win_Trojan_Agent
# ClamAV:
#   - Xls.Exploit.DDEXML
#   - Ppt.Exploit.DDEXML
#   - Doc.Exploit.DDEXML
#   - MALWARE_Win.Trojan.Gh0st_Plugx_1
#   - MALWARE_Win.Trojan.Gh0st_Plugx_2
#   - MALWARE_Win.Trojan.Gh0st_Plugx_DotNET
#   - MALWARE_Win.Trojan.Agent
# Hashes:
#   - DDEXML Documents:
#       - 1f9acfa49397291351d2e7344f239fa263908a75d2f4c0e558f752ef0e10be3e
#       - b3e260db478ed2512ee7012054da262bc50df68f96f0e8156826bb87c354c12b
#   - Binary:
#       - a0aec4ee482600bbadf2aed728c21efba96902f4c02f6f0952c7e0593d081dab (.NET)
#   - Triage:
#     - 2c080f5ece0f86e1554c27d96de325b3e66fdaf3b3c50e1f21e89be330027d2b
#     - 3dc2dfb927491848080cb53a2ff7c632eb1d7b0e61765ac1679ab921cac758cc
#     - 43c6377dfff5a4eace81f84987b6da4d9e4918d0108fba32cd5a98903e80aad2
#     - 50840fbc820980940c82d5e35cf8d92ab97776dcee48db94266f10b97c0b2a1c
#     - 81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1
#     - 8f3fc71499cb9248352f714b7341d8034039933e297188d71359d9409c284517
#     - 97c95ee7b65ea755de9d876d6b89fead7754e0d54ebf397354cd1d2656441aa4 (PlugX)
#     - 97ea837b05cfc44d7eaf7044130f5287f9811f0e9ef6114114dbbbb6a2f8d2af
#     - 9bcb326e62d58efa1432748fae230e127a2ad7af2f39711f34062c4023e41ec9
#     - cd6ccdb98213db3c84cc458adaf1fd52a23c7eaea8b2578b1efeea1be8cf8416
# Notes:
#   - Memory artifacts of .NET sample are almost the same as the artifacts found
#     in triaged samples.
#   - One sample uses a fake certificate referencing ClamAV.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX user-profile in outbound ephemeral port"; flow:to_server,established; content:"|5C 00 55 00 73 00 65 00 72 00 73 00 5C 00|"; fast_pattern:only; content:"|5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00|"; within:150; metadata:ruleset community; classtype:trojan-activity; sid:8000486; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX known host infection artificat on network traffic"; flow:to_server,established; content:"|5C 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 56 00 69 00 73 00 69 00 6F 00 6E 00 5C|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:8000487; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX directory listing inbound command"; flow:to_client,established; dsize:<30; content:"|43 00 3A 00 5C 00 2A 00 2E 00 2A 00|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:8000488; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX start inbound command"; flow:to_client,established; dsize:<30; content:"|29 BB 66 E4|"; fast_pattern:only; content:"|73 00 74 00 61 00 72 00 74 00|"; distance:12; isdataat:!1,relative;  metadata:ruleset community; classtype:trojan-activity; sid:8000489; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX exit listing inbound command"; flow:to_client,established; dsize:<25; content:"|29 BB 66 E4|"; fast_pattern:only; content:"|65 00 78 00 69 00 74 00|"; distance:12; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000590; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX server inbound heartbeat connection"; flow:to_client,established; dsize:12; content:"|29 BB 66 E4 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:8000491; rev:1;)

# --------------------
# Title: The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing)
# Reference: https://threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/
# Tests: pcaps (partial)
# Yara:
#   - MALWARE_JS_SectorA05
#   - MALWARE_Win_Trojan_SectorA05
# ClamAV:
#   - MALWARE_JS.SectorA05
#   - MALWARE_Win.Trojan.SectorA05
# Hashes:
#   - 74d6b81565aeb95ee9df37ef7738d10baa9866261fb894d9ee9d67fc7c66badc (Binary)
#   - 84edc9b828de54d4bd00959fabf583a1392cb4c3eab3498c52818c96dc554b90 (Binary)
#   - c6c332ae1ccb580ac621d3cf667ce9c017be41f8ad04a94c0c0ea37c4789dd14 (Binary)
#   - d62bf83fb5a7b148f326908051b149b77663149d47426ce749e944f7abf5d304 (Binary)
#   - ea1d4ce3f4a9a70670e67d69a36e5e65b314207d4d882a7e4bc26ddfbe6177b9 (Binary)
#   - 38368ada36a1d98bbc55408e26a2219ec60e0e53c8d34d67fd010af574f84e5a (JS)
#   - 95f1a84103f789d1ae749a3f8a384a29b39d6766e8a13d450b6553c39aba4fd7 (JS)
#   - d992c84902992867a6dfc9caf4d80f211d4d7a7d3e9e043691768bb6d73b4987 (JS)
# Notes:
#   - The "serverurl" is extracted from dropped DLL.
#   - SID 8000477 addresses "2.wsf".
#   - SID 8000478 addresses "3.wsf".
#   - Remaining SIDs address the DLL.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; urilen:<50; content:"/board.php?v="; fast_pattern:only; http_uri; pcre:"/\/board\.php\x3fv=[abcef]/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000492; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/board.php?m="; fast_pattern:only; http_uri; content:"v="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000493; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/ping.php"; nocase; fast_pattern:only; http_uri; content:"word="; nocase; http_uri; content:"note="; nocase; http_uri;  metadata:ruleset community, service http; classtype:trojan-activity; sid:8000494; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:".php?file=Cobra_"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000495; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.SectorA05 inbound directory search command"; flow:to_server,established; content:"200"; http_stat_code; file_data; content:"cmd|7C|dir "; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000496; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; urilen:<50; content:"/indox.php?v="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000497; rev:1;)

# --------------------
# Title:
#   - Threats posed by using RATs in ICS
#   - Attacks on industrial enterprises using RMS and TeamViewer
# Reference:
#   - https://ics-cert.kaspersky.com/media/KL_RAT_ICS_ENG.pdf
#   - https://ics-cert.kaspersky.com/media/TV_RMS_PHISHING_EN.pdf
# Tests: pcaps (partial)
# Yara:
#   - MALWARE_Win_Trojan_Delph_Keylogger
# ClamAV:
#   - MALWARE_Win.Trojan.Delph-Keylogger
# Hashes:
#   - Delph Keylogger
#     - 4b2860f6f66c3d0aaa9c907bffe9ccf9103c31d23bfc022f2ed6ce6c13a49a41
#     - e93cc654eb2b17bbd4b760e27d45fc0078c0a8f9b7be6b7a2c11cc78114f31aa
# Notes:
#   - Destination port for the delph keylogger has been consistent
#     across samples, but may not be a good idea to hardcode it.

alert tcp $EXTERNAL_NET 33033 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Delph Keylogger variant inbound connection attempt"; flow:to_client,established; dsize:<16; content:"SETDELAY "; fast_pattern:only; content:"|0D 0A|"; distance:0; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000498; rev:1;)

alert tcp $EXTERNAL_NET 33033 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Delph Keylogger variant inbound connection attempt"; flow:to_client,established; dsize:<30; content:"0808"; depth:4; content:"3F|0D 0A|"; within:24; isdataat:!1,relative; pcre:"/[0-9A-Z]{26}\x0d\x0a/"; metadata:ruleset community; classtype:trojan-activity; sid:8000499; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5000: (msg:"MALWARE-CNC Win.Trojan.Babylon RAT variant outbound connection"; flow:to_server,established; dsize:4; content:"|FF|"; offset:1; depth:1; content:"|FF|"; distance:1; isdataat:!1,relative; detection_filter:track by_src, count 10, seconds 60; metadata:ruleset community; classtype:trojan-activity; sid:8000500; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_server,established; content:"<rman_message version="; fast_pattern:only; content:"<code>1</code>"; metadata:ruleset community; classtype:policy-violation; sid:8000501; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_client,established; content:"<rman_message version="; fast_pattern:only; content:"<code>3</code>"; content:"</rman_message>"; distance:0; metadata:ruleset community; classtype:policy-violation; sid:8000502; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:8000503; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only; content:"$"; distance:2; metadata:ruleset community; classtype:policy-violation; sid:8000504; rev:1;)

# --------------------
# Title: Analyzing a new stealer written in Golang
# Reference: https://blog.malwarebytes.com/threat-analysis/2019/01/analyzing-new-stealer-written-golang/
# Tests: pcaps
# Yara:
#   - MALWARE_Win_CryptoStealer_Go
#   - INDICATOR_Binary_Many_Browser_Paths
#   - INDICATOR_Binary_Many_Wallet_Paths
# ClamAV:
#   - MALWARE_Win.CryptoStealer.Go
#   - INDICATOR_Win_Binary_Many_Browser_Paths
#   - INDICATOR_Win_Binary_Many_Wallet_Paths
#   - INDICATOR_Osx_Binary_Many_Browser_Paths
#   - INDICATOR_Osx_Binary_Many_Wallet_Paths
# Hashes:
#   - 0bf24e0bc69f310c0119fc199c8938773cdede9d1ca6ba7ac7fea5c863e0f099
#   - 165d016d764e1bdfe74acfe5c5f8aa5980e4ac0497a4b9794fbb35822c059749
#   - 76049221cfe4beb74f12655bad6cbc42a607bc3d5977a5b8bd76df0de4286614
#   - c2044e4246a58410dd96300bd2072a8d22c588beb4ad093018c0d33f240dbabd

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoStealer variant outbound connection"; flow:to_server,established; urilen:12; content:"/landing.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"User-Agent: G"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000505; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoStealer variant outbound connection"; flow:to_server,established; urilen:15; content:"/uploadfpeg.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"User-Agent: G"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000506; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE user profile path in filename upload detected"; flow:to_server,established; content:"|3B| filename=|22|C:|5C 5C|Users|5C 5C|"; nocase; fast_pattern:only; http_client_body; content:"POST"; http_method; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000507; rev:1;)

# --------------------
# Title: Win.Trojan.Fsysna/Fakewmi
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_Fakewmi
#   - INDICATOR_Win_Binary_Many_Builtin_Commands
#   - INDICATOR_Win_Binary_Many_Builtin_Executables
#   - INDICATOR_Win_Binary_Process_Name_Manipulation
#   - INDICATOR_Win_Binary_HTTP_Query_Strings
# ClamAV:
#   - MALWARE_Win.Trojan.Fakewmi
#   - INDICATOR_Win_Binary_Many_Builtin_Commands
#   - INDICATOR_Win_Binary_Many_Builtin_Executables
#   - INDICATOR_Win_Binary_Process_Name_Manipulation
#   - INDICATOR_Win_Binary_HTTP_Query_Strings
# Hashes:
#   - bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".png?ID="; fast_pattern:only; http_uri; content:"&MAC="; http_uri; content:"&OS="; http_uri; content:"&BIT="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000508; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".exez?ID="; fast_pattern:only; http_uri; content:"&GUID="; http_uri; content:"&_T="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000509; rev:1;)

# --------------------
# Title: Win.Trojan.FormBook
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Doc_OOXML_Dropper_Ole_RemoteTemplate
#   - MALWARE_RTF_Equation_BITSAdmin_Downloader
#   - MALWARE_RTF_Equation_PowerShell_Downloader
#   - MALWARE_RTF_Excel_URLDownloadToFile
# ClamAV:
#   - MALWARE_Doc.OOXML.Dropper.Ole-RemoteTemplate
#   - MALWARE_RTF_Equation_BITSAdmin_Downloader
#   - MALWARE_RTF_Equation_PowerShell_Downloader
#   - MALWARE_RTF_Excel_URLDownloadToFile
# Hashes:
#   - Stage 1 - Infection Vector | OOXML OLE Remote Template:
#       - 8f0ecc502cfdfb9837454780c84c655afba8fda2c7958ccd692d7ea26ee77614
#   - Stage 2 - Dropper | RTF Equation + BITSAdmin
#       - 055d5b1fb482131511eff925ac9d02cd1e6c8a0cd700fcbcb61b31d9cd55e7f0
#       - 2da9452c712af4ba9a05520b5794677e2c23ccebbc494695dfde00434b345f48
#       - 9a81cac30204b0282822cc2cacb104af0124b12356e0dccf012ed591ba46a11c
#   - Stage 3 - Binary:
#       - 1af2cca9a11ed769d8f8dbcec9781ae51b09ba8913ab39435b0cd181471dca8e
#       - 265e1f8116d36db0ff1e3fe9b4c02fec24c6214a64200742de5b1cf00edf80c9
#       - 2c63b771b02ed30125c322c7d3ce20814427f59901f676d2da5b0ab337ad7fcc
#       - 61927b53f39c5e64a47b18b2a9b46d7b7b91d718f28e1a62cad76bbe7cf48374
#       - 81de431987304676134138705fc1c21188ad7f27edf6b77a6551aa693194485e
#       - e071ef17536726ce1f71b8b31e850ae13e25f822ecb0f3af55b17bca0a02d207
#       - fa8acd9d8beb7e4e91665be1879a2e4e018f6e79e42f4299d4c4273c4b8bfc82
# Note:
#   - Infection vector dropped 1 file, but server is opendir (screenshots attached):
#       - Second Stage > hxxps://amigosforever[.]net/d/
#       - Third Stage  > hxxps://amigosforever[.]net/j/
#   - Persistence:
#       HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9REX1NGPHZ > C:\Program Files (x86)\e_0qlbpy\zhqlg470gralan.exe
#   - FormBook C&C Domains:
#       www[.]agitatrice-de-bien-etre[.]com, www[.]bwijbb[.]info, www[.]clanografica[.]com
#       www[.]dentalexcellencelosaltos[.]com, www[.]fazchin[.]com, www[.]franksautossales[.]com
#       www[.]hopirates[.]com, www[.]mygermancars[.]net, www[.]northcapital-holding[.]com
#       www[.]npmxwj[.]com, www[.]oorrq[.]com, www[.]rootbet99[.]com, www[.]runningmanual[.]site
#       www[.]talariviera[.]com, www[.]virgycanta[.]com, www[.]witchyaudrey[.]com
#   - SID below is a modified revision of SID 8000225 submited in "Multiple signatures 008".

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound connection"; flow:to_server,established; urilen:<6; content:"Connection: close|0D 0A|Content-Length:"; http_header; content:"Cache-Control: no-cache|0D 0A|Origin:"; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Accept: */*|0D 0A|Referer:"; http_header; content:"POST"; http_method; content:"="; depth:10; http_client_body; pcre:"/\/[a-z0-9]{2,3}\//U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000225; rev:2;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATE-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_client,established; flowbits:isset,filt.rtf|file.doc; file_data; content:"0200000002CE020000000000C000000000000046"; nocase; content:"6269747361646d696e"; nocase; metadata:ruleset community, service http, service imap, service pop3, service ftp-data; classtype:trojan-activity; sid:8000510; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATE-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_server,established; flowbits:isset,filt.rtf|file.doc; file_data; content:"0200000002CE020000000000C000000000000046"; nocase; content:"6269747361646d696e"; nocase; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000511; rev:1;)

# --------------------
# Title: Actor with Multiple Simulatnious Open Directories Serving Various Stealers (HawkEye, LokiBot, AgentTesla, Azorult)
# Reference: Research
# Tests: pcaps (partial)
# Yara:
#   - MALWARE_Multi_Stealer_MultiDelph_Packed
#   - MALWARE_Win_Trojan_MSIL_Noon
# ClamAV:
#   - MALWARE_Win.Trojan.Stealer_MultiDelph_Packed
#   - MALWARE_Win.Trojan.MSIL.Noon
#   - MALWARE_Win.Trojan.AutoIt
#   - MALWARE_Doc.Trojan.Downloader
#   - MALWARE_Ppt.Trojan.Downloader
#   - MALWARE_Xls.Trojan.Downloader
# Hashes:
#   - 014e48b69c3003c7188390f75b3fcd79169e6d5d54c89b4cb83af53869613f27
#   - 096630ca2c67980b2c5d817ba56580182a4c2bceff0eb3970910958ff7d4fec8
#   - 0a1073036b3d35f6d5cca0010d3843cdbf38fe1dda19a63c4ec7d9a17922386d
#   - 0bc9f1ef7d24816470ebbf7aec56722bc66e5405b70832b4673f3bc45cff698f
#   - 0ccf76c40e714e71250d7e5b052f1d8d1d1e38ee0623bf842331298d29b05cb1
#   - 0f6cd00d5306c35b440e1e847ffce603006ad75982e689a6d6d228691b497254
#   - 15d92ddc442d27fc72d05cccbaa0084b9eb3582d373f8386699a3389724589ec
#   - 1d071c8d02c8c1adab197410ec609b49b836e60692c455bc660427943fa312fb
#   - 1fd0474ceb61363dd8b94f299cf87893767836ac8d4c82044c9b8197e28ff043
#   - 20846330e8957182600f7219540c7f668e8239f3d86112bb13737ecc8198731b
#   - 23e6b656eb1e813398eec29af7a76d5715240b82704d1f96bc1406d6db0ffcd0
#   - 2827535996a28b5005cf7f13ef81003871e1814609f7b498582707dc389ea527
#   - 29a3be38886cbc28db3e08943a3759362fdaec9ecb7a7c8b2fc71dd29189737e
#   - 2cc89e26fa8fdbd6af7773f8cea5b50bdf0f7e2422e5ed5008906e0e45145ab4
#   - 2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd
#   - 31c035334fcd276781c9bbd088c9fcae99d391b5cb423c32aa4d65c70a4a5d88
#   - 3c76fa16ca5a191ac27a710e92003cd125cb3639f1999e8ee2de5e3cf75712d5
#   - 42a281359126f49201d73851df765a84cf21d8c965f14fd26326803e42a30070
#   - 4466e54073701ed691015a5f8b6dc0c951c2442db9d9663fa16ded2edd5256cc
#   - 495a0283ee5183198e4e9d6769bf885d4696121d361ab63046b7cfcfa63a4bdc
#   - 49a59b2d47bc1b7fb0da264206d8367ee11ad044b3a58cb3df06e5a4a1557ece
#   - 567efd7abb99428737d22bf3f8cee9d23a540b4e1565938b557eec54078b8a31
#   - 5691a24d176090bc059f91f3d05d2e9e39ee071652b4c41dd85ffb8961cb8b03
#   - 56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d
#   - 56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203
#   - 5abc3ec7dce72f410acab0ee1d328e7ef331249aff10a848a0365ee3ea405718
#   - 5c678b4b224d55e579639d5cfe5562372f0cfe79b881a42b4cadbb9645efa59e
#   - 636ddf46c3ef949817040a66397c9053a79dede5d2946ffdd44e7590ae18f5da
#   - 6548f22803cdce01bc4bbce12f43c5b4efd5a9f1691d34da619bff9b511dde8a
#   - 81c4fd4b1c1dd0bf1f5216be3c751ae2c849e66f30b7c3b574d9e1487f8fba69
#   - 82bdf3f3845311435073e4d00934b3baff8757e4e5743d329e2a73384183ebcf
#   - 8450a4627ee9ba1802f6924ba4ee7d29db054cbb9eb7c384712a58eb1841194f
#   - 85b903fbdf214c3e94e0ac050576c5841c3531e5f19cab82395a33ed3238c086
#   - 86778ce7fe952303bd64770616e46c029597d7a3c86b40621abbed42fe3be6c5
#   - 89ce88527a2c2b0cca668c7f9ea280af84a88b2143e21bda16c294ab4fa87d8c
#   - 8b615b5d41f1a73203775c8d6f5895c199e3998ddeb7ec2a2870fb32e90cf8c9
#   - 9708e849f02eaee5ba860592eaa12f00337e21ef9f41b266ef928c689a0ab127
#   - 990b2a5d79fdf25c7fee7092d8ee3959e2d93a9a598074672c8e67b59ddf24a3
#   - 9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91
#   - a3d665070c66cd0a5121c90f79f070c382de620a3e1f600dceccfee7481e3dee
#   - b3b71d13579f638175176e19fd2f0527c2eaa7d1a0ee690b028a9bdc5e871066
#   - b9de0b5c0f9b8504746ae1507a279848dcaaf3bcbde18d6ae3452e9921efed9c
#   - be01445f952809da6b3bac391dd8809a2ec07f21dd878067f6bb959de6a86351
#   - bf8fe5e29fb3c0fef227cb42ce00d38fc209bed8fa690f1cb14de7db21a8ce8b
#   - c03a388ea39b55c24ff667e89ef272fcab08a54b6a5999aa2a4a3998bd2b0470
#   - c31ef80d97b91a6f75401ce75661e58514b1bb5204542fd8154d25b92d29f37d
#   - c35974b9d587111b1bbe91d32d8b13e438079cba1385d25bb3f6ffbe3e978360
#   - c4f9b7e53ba61e6f310eaae7a6fe9a700701ee9b8fec7e895b652204ec1b2a7f
#   - c9a740dd8cf801c28528e7e6287200a58ec221b4b463a321664af2669f0ac2a7
#   - cf250c3b48f7699f6e00912aa406f51aaa454046dc5543935b44db4118d6b708
#   - dd640176aadf95178a51134dfb4469d0549532655c0ad2411c70d669673fb8bb
#   - e0da13bfc4510bffd4d1aab08ae82b0ab0b479d99825f7f3ba6218728f4ffdc0
#   - ea42a3218faaa1e429836175b1576b5e0e7a6f3e07196e9e3f484c886767f4d1
#   - eb0ee0b7fadf4412722cfb13a5117fc058ae51c97b75def4b2410d04fd97ed73
#   - f03ec0d5c808f49fcef8f1434ddc841baadef05439a8d3822c76724eb55ec15a
#   - f22336463d8824d0e375ba096ce7de6f91a832ccec81515cc92b1b6c57d445bc
#   - f4e731753d975ff1ba7b0e569342dd3afe45c0bc6ae5051d6dd49b53dcb5bdff
#   - f65593ab488145bea5a46756b85168e7b51e38463863a44e34030b8901d95e4d
# Notes:
#   - All open directories are hosted on: 23[.]94[.]188[.]246
#   - "Panel.rar" appears to be the "HawkEye Keylogger - Reborn v9" panel.
#   - Current active open directories (screenshots attached):
#     - jessecloudserver[.]xyz/q
#     - jesseworld[.]eu
#     - kings[.]jesseworld[.]eu
#     - interbizservices[.]eu/images
#     - modcloudserver[.]eu
#     - modexcommunications[.]eu
#     - sylvaclouds[.]eu

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to bot.whatismyipaddress.com"; flow:to_server,established; content:"Host: bot.whatismyipaddress.com"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:8000512; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla variant outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:" Recovered Accounts"; within:150; fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000513; rev:1;)

# --------------------
# Title: Triout Android Spyware Framework Makes a Comeback, Abusing App with 50 Million Downloads
# Reference:
#   - https://labs.bitdefender.com/2019/02/triout-android-spyware-framework-makes-a-comeback-abusing-app-with-50-million-downloads/
#   - https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes:
#   - 3a3640b6d395f6b48239e38d874bfcf3d31f1d4886edec974c20c01448a96fa3
# Notes: These were sent before but we did not have a hash or pcaps.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - Call Records"; flow:to_server,established; content:"call3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&callid="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000282; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - SMS Records"; flow:to_server,established; content:"/script3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&smsbody="; http_client_body; content:"&smssender="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000283; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - Call Log"; flow:to_server,established; content:"/calllog.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&callname="; http_client_body; content:"&callnum="; http_client_body; content:"&calldate="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000284; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - Camera Capture"; flow:to_server,established; content:"/uppc.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|uploaded_file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000285; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - Call Logs"; flow:to_server,established; content:"/upcal.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|uploaded_file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000286; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - GPS"; flow:to_server,established; content:"/gps3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&lat="; http_client_body; content:"&long="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000287; rev:2;)

# --------------------
# Title: Threat Actor “Magecart”: Coming to an eCommerce Store Near You
# Reference: https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/
# Tests: NA
# Yara: NA
# ClamAV: NA
# Hashes: NA
# Notes: Not sure if this is "good" detection, too many assumptions.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/customer_notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000514; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/appointment/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000515; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/AvisVerifies/dialog/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000516; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/pdffree/Product/pdfsave/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000517; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/ajax/Showroom/submit/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000518; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/netgocust/Gwishlist/updategwishlist/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000519; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/CustomGrid/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000520; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/simplebundle/Cart/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000521; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/layaway/view/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000522; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/multidealpro/index/edit/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000523; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/credit/withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:800024; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/Blcg_Column_Renderer_index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000525; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/tabshome/index/ajax/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000526; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/Blcg/Column/Renderer/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000527; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000528; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/aheadmetrics/auth/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000529; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/gwishlist/Gwishlist/updategwishlist/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000530; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/credit_withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000531; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000532; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/emaildirect/abandoned/restore/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000533; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000534; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/bssreorderproduct/list/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000535; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/advancedreports/chart/tunnel/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000536; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/minifilterproducts/index/ajax/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000537; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/ajaxproducts/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000538; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/qquoteadv/download/downloadCustomOption/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000539; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/freegift/cart/gurlgift/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000540; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/madecache/varnish/esi/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000541; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/customer/notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000542; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/prescription/Prescription/amendQuoteItemQty/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000543; rev:1;)