[Emerging-Sigs] Downloader.Win32.op17

Travis Green tgreen at emergingthreats.net
Fri Dec 15 12:59:29 HST 2017


Thanks! We'll get these in QA.

-Travis

On Fri, Dec 15, 2017 at 9:56 AM, Attack Detection <
attackdetectionteam at gmail.com> wrote:

> Hi.
>     Signature for detecting connections to C2. Infrastructure for sending
> malicious payload to victum.
> I will give several links:
> https://threatcrowd.org/domain.php?domain=v1.eakalra.ru
> http://www.freebuf.com/articles/terminal/153428.html
>
> Pcaps(36):  https://www.dropbox.com/sh/6tueeu7vo1o205s/
> AABhgsH9BVbmBVcZWbou1nBpa?dl=0
>
> alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "[PT MALWARE]
> Downloader.Win32.op17 Response TCP";
> flow: established, to_client;
> dsize: 517;
> content: "|45362718|";depth:4;
> classtype: trojan-activity; metadata: autosign, id_278116,created_at
> 2017_7_14;sid: 10001127; rev: 3;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "[PT MALWARE]
> Downloader.Win32.op17 Request TCP";
> flow: established, to_server;
> dsize: 170;
> content: "|453627180820|";depth:6;
> classtype: trojan-activity; metadata: autosign, id_302156,created_at
> 2017_7_14;sid: 10001126; rev: 3;)
>
> Best regards,
> John.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171215/b1a04718/attachment.html>


More information about the Emerging-sigs mailing list