[Emerging-Sigs] False Positive: "ETPRO MALWARE Win32/Bancteian.A Variant CnC Activity" - SID 2839072

Nathan nathan at packetmail.net
Wed Oct 23 05:23:24 HDT 2019


Good morning friends,

I believe I have encountered a false positive that is almost an exact match to
the suspected traffic in question for SID 2839072.  Below is a PCAP ASCII
snippet of that traffic:

08:25:44.903014 IP 10.0.0.1.50165 > 20.41.62.11.80
GET
/8SE/77?MI=8BB03BE5E3834C769547B59818DA223A-0CCE46F7241540FBA35EB5FCECFE26F4&LV=1.3.478.0&OS=6.2.9200&HV=1.3.478.0&AG=308&TE=11001&TV=tv1.3.478.0|tmen-us|isBDT1|buproduct|mi8BB03BE5E3834C769547B59818DA223A-0CCE46F7241540FBA35EB5FCECFE26F4|flmsa_bd2|fr1|kvcategory:hot,autosync:True
HTTP/1.1
Host: g.ceipmsn.com
Connection: Keep-Alive
Cache-Control: no-cache

Cheers,
Nathan




More information about the Emerging-sigs mailing list