[Emerging-Sigs] Gozi/Ursnif Payload

Attack Detection attackdetectionteam at gmail.com
Wed Jan 17 03:04:21 HST 2018


Hi, new payload for Ursnif/Gozi.
Previously published a rule with sid 2024533 for the process clfs10_1.exe,
now a new payload for the process adprtext.exe.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity]
Gozi/Ursnif Payload v14"; flow: established, to_client;
content:"200";http_stat_code; file_data; content: "|d9 2c c6 af f6 26 56 bb
73 f5 c4 68 0f 90 d9 d4|";depth:16; fast_pattern;metadata: former_category
TROJAN; reference:url,github.com/ptresearch/AttackDetection;
classtype:trojan-activity; sid:2024533; rev:2; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_12_05,
malware_family ursnif, malware_family Gozi, performance_impact Moderate,
updated_at 2017_12_05;sid: 10002429; rev: 1;)

Links:
PCAPs:
https://www.dropbox.com/sh/bh79we9udyohvwa/AAC0qntElOaZLt7vxp9o9BrFa?dl=0
Ananlysis:
https://www.hybrid-analysis.com/sample/a8422804bb5fc7ab3479a7570d331e14447334b7c9e0b5bc851fbc82c8f98a74/?environmentId=100
https://www.hybrid-analysis.com/sample/ad647c0587ac6f8d3e4096435818ec9225bdd7bddc4d379993a4115fbb0cf255/?environmentId=100
https://www.hybrid-analysis.com/sample/c25d3541265d3d7a5aee4f0f7c3fad428c8f6c9cab45e55fa00de98f634635ee/?environmentId=100
https://www.hybrid-analysis.com/sample/92904d43af33a4ecc26e9935c278dd87b874e6a02d185ad5fb163f36f94de4c2/?environmentId=100

Beset regards,
John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180117/6f2686d9/attachment.html>


More information about the Emerging-sigs mailing list