[Emerging-Sigs] Trojan.Downloader

Attack Detection attackdetectionteam at gmail.com
Tue Jan 16 08:55:58 HST 2018


Hi, interested downloader found.
    Obfuscated VBA stager, includes the code of binary file http
downloader, also equipped with the function of detecting virtual machines,
and many interesting things, look at the pastebin link.

Signatures:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity]
Trojan.Downloader VBA Script obfuscation (binary_getter)";flow:
established, to_client;  content:"200"; http_stat_code; file_data;content:
"(Chr((((asc(Mid("; depth: 300;content:
",1,1))-65))*25+(asc(Mid(";within:100;content:
",2,1))-65)-";within:100;threshold: type limit, track by_src, count 1,
seconds 30; classtype: trojan-activity; metadata: id_421251,created_at
2017_12_22;sid: 10002341; rev: 1;)

alert http $HOME_NET any -> $EXTERNAL_NET any  (msg: "ET TROJAN [PTsecurity]
Trojan.Downloader UserAgent (binary_getter)";flow: established, to_server;
content: "User-Agent: binary_getter"; http_header; classtype:
trojan-activity; metadata: id_291409,created_at 2017_12_22;sid: 10002342;
rev: 1;)


Links:
VBA binary_getter/1.0 source code:
http://www.808.dk/?code-binarywinhttprequest
Python decoder script: https://pastebin.com/1pLniq0A
Downloader VBA script: https://pastebin.com/WkRrfEL4
PCAPs:
https://www.dropbox.com/sh/qtjhvff9hauicg3/AAC-s6PcmCx6qlGUxMCmVv67a?dl=0

Best regards,
John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180116/e9efb02a/attachment.html>


More information about the Emerging-sigs mailing list