[Emerging-Sigs] Kuriyama Loader

Jason Williams jwilliams at emergingthreats.net
Sat Jan 27 10:17:17 HST 2018


Thanks for the heads up! We'll make sure all the relevant information is
included in this rule for the update on monday.

Jason

On Fri, Jan 26, 2018 at 5:31 PM, Duane Howard <duane.security at gmail.com>
wrote:

> Question: it looks like John provided references to samples here, but in
> the released rule there are no reference URLs or hashes. Seems like a lot
> of context got dropped that could have been included in this rule?
>
> On Fri, Jan 26, 2018 at 8:37 AM, Travis Green <tgreen at emergingthreats.net>
> wrote:
>
>> Thanks! We'll get this in QA for today's release.
>>
>> -Travis
>>
>> On Thu, Jan 25, 2018 at 3:18 AM, Attack Detection <
>> attackdetectionteam at gmail.com> wrote:
>>
>>> Hi, Kuriyama bot here.
>>> Translation of the description from the seller's website:
>>> Kuriyama is a multifunctional experimental loader that uses the
>>> Telegraph as a control panel. The idea of creating a similar I picked up in
>>> botnets, focusing on youtube, twitter, etc. When using a telegraph, you do
>>> not need to bother with anonymity, setting up the VPN, hosting, domains and
>>> other slag. The post of the telegraph will be tied to your hardware and you
>>> will not be able to reconnect the build without agreement with me.
>>>
>>> Signature:
>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN
>>> [PTsecurity] Kuriyama Loader Checkin";flow: established, to_server;
>>> content: "?hwid="; http_uri; content: "&group="; http_uri; fast_pattern;
>>> content: "&os="; http_uri; content: "&cpu="; http_uri; content: "GET";
>>> http_method;  content:!"Referer|3a|"; http_header;
>>> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
>>> attack_target Client_Endpoint, deployment Perimeter, signature_severity
>>> Major, created_at 2018_01_25, malware_family botnet, malware_family
>>> loaders, performance_impact Moderate, updated_at 2018_01_25; classtype:
>>> trojan-activity; metadata: id_462921,created_at 2018_1_25; sid: 10002482;
>>> rev: 1;)
>>>
>>> Links:
>>> Page(ru) https://darkwebs.ws/threads/41806/
>>> Pcap: https://www.dropbox.com/sh/78kmpbf29yrdpbq/AADI55uuJg5wxhkfz
>>> NlqP8IMa?dl=0
>>> VT: https://www.virustotal.com/en/file/2cb01f61d24400c4a868e4a83
>>> 6019ff33588336bb6c611511fe3248aa3205d6b/analysis/
>>> HA: https://www.hybrid-analysis.com/sample/2cb01f61d24400c4a868e
>>> 4a836019ff33588336bb6c611511fe3248aa3205d6b/?environmentId=100
>>>
>>> Best regards, John.
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>>
>>
>>
>> --
>> PGP: 0xBED7B297
>> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180127/164aeb22/attachment.html>


More information about the Emerging-sigs mailing list