[Emerging-Sigs] Gozi/Ursnif Payload

James Emery-Callcott jcallcott at emergingthreats.net
Wed Jan 17 05:16:54 HST 2018


Hi John,

Thanks for sending this in.
We'll take a look and push to QA asap.

Thanks,
James.

On Wed, Jan 17, 2018 at 1:04 PM, Attack Detection <
attackdetectionteam at gmail.com> wrote:

> Hi, new payload for Ursnif/Gozi.
> Previously published a rule with sid 2024533 for the process clfs10_1.exe,
> now a new payload for the process adprtext.exe.
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN
> [PTsecurity] Gozi/Ursnif Payload v14"; flow: established, to_client;
> content:"200";http_stat_code; file_data; content: "|d9 2c c6 af f6 26 56 bb
> 73 f5 c4 68 0f 90 d9 d4|";depth:16; fast_pattern;metadata: former_category
> TROJAN; reference:url,github.com/ptresearch/AttackDetection;
> classtype:trojan-activity; sid:2024533; rev:2; metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
> deployment Perimeter, signature_severity Major, created_at 2017_12_05,
> malware_family ursnif, malware_family Gozi, performance_impact Moderate,
> updated_at 2017_12_05;sid: 10002429; rev: 1;)
>
> Links:
> PCAPs: https://www.dropbox.com/sh/bh79we9udyohvwa/
> AAC0qntElOaZLt7vxp9o9BrFa?dl=0
> Ananlysis:
> https://www.hybrid-analysis.com/sample/a8422804bb5fc7ab3479a7570d331e
> 14447334b7c9e0b5bc851fbc82c8f98a74/?environmentId=100
> https://www.hybrid-analysis.com/sample/ad647c0587ac6f8d3e4096435818ec
> 9225bdd7bddc4d379993a4115fbb0cf255/?environmentId=100
> https://www.hybrid-analysis.com/sample/c25d3541265d3d7a5aee4f0f7c3fad
> 428c8f6c9cab45e55fa00de98f634635ee/?environmentId=100
> https://www.hybrid-analysis.com/sample/92904d43af33a4ecc26e9935c278dd
> 87b874e6a02d185ad5fb163f36f94de4c2/?environmentId=100
>
> Beset regards,
> John.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
*James Emery-Callcott*
Security Researcher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180117/21a5fabf/attachment-0001.html>


More information about the Emerging-sigs mailing list