[Emerging-Sigs] Kuriyama Loader
jwilliams at emergingthreats.net
Sat Jan 27 10:17:17 HST 2018
Thanks for the heads up! We'll make sure all the relevant information is
included in this rule for the update on monday.
On Fri, Jan 26, 2018 at 5:31 PM, Duane Howard <duane.security at gmail.com>
> Question: it looks like John provided references to samples here, but in
> the released rule there are no reference URLs or hashes. Seems like a lot
> of context got dropped that could have been included in this rule?
> On Fri, Jan 26, 2018 at 8:37 AM, Travis Green <tgreen at emergingthreats.net>
>> Thanks! We'll get this in QA for today's release.
>> On Thu, Jan 25, 2018 at 3:18 AM, Attack Detection <
>> attackdetectionteam at gmail.com> wrote:
>>> Hi, Kuriyama bot here.
>>> Translation of the description from the seller's website:
>>> Kuriyama is a multifunctional experimental loader that uses the
>>> Telegraph as a control panel. The idea of creating a similar I picked up in
>>> botnets, focusing on youtube, twitter, etc. When using a telegraph, you do
>>> not need to bother with anonymity, setting up the VPN, hosting, domains and
>>> other slag. The post of the telegraph will be tied to your hardware and you
>>> will not be able to reconnect the build without agreement with me.
>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN
>>> [PTsecurity] Kuriyama Loader Checkin";flow: established, to_server;
>>> content: "?hwid="; http_uri; content: "&group="; http_uri; fast_pattern;
>>> content: "&os="; http_uri; content: "&cpu="; http_uri; content: "GET";
>>> http_method; content:!"Referer|3a|"; http_header;
>>> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
>>> attack_target Client_Endpoint, deployment Perimeter, signature_severity
>>> Major, created_at 2018_01_25, malware_family botnet, malware_family
>>> loaders, performance_impact Moderate, updated_at 2018_01_25; classtype:
>>> trojan-activity; metadata: id_462921,created_at 2018_1_25; sid: 10002482;
>>> rev: 1;)
>>> Page(ru) https://darkwebs.ws/threads/41806/
>>> Pcap: https://www.dropbox.com/sh/78kmpbf29yrdpbq/AADI55uuJg5wxhkfz
>>> VT: https://www.virustotal.com/en/file/2cb01f61d24400c4a868e4a83
>>> HA: https://www.hybrid-analysis.com/sample/2cb01f61d24400c4a868e
>>> Best regards, John.
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> PGP: 0xBED7B297
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs