[Emerging-Sigs] False Positive: "ETPRO MALWARE Win32/Bancteian.A Variant CnC Activity" - SID 2839072

Brandon Murphy bmurphy at emergingthreats.net
Thu Oct 24 08:50:39 HDT 2019


Hello - I just wanted to follow up with this report with a bit more info
on this sig and sample.

I took a look at the reference sample a bit more today - in additional
to malicious activity, the sample dropped a legit (valid signature)
Microsoft installer which in turned phoned home to the Customer
Enhancement Improvement Program (ceip) which triggers this rule.

This rule will be moved to the DELETED category today due to triggering
on benign traffic.

Sorry for any noise the rule might have caused.

-Brandon

On 10/23/19 09:33, Brandon Murphy wrote:
> Thanks Nathan,
>
> I'll take a look and get it updated today.
>
> -Brandon
>
> On 10/23/19 09:23, Nathan via Emerging-sigs wrote:
>> Good morning friends,
>>
>> I believe I have encountered a false positive that is almost an exact match to
>> the suspected traffic in question for SID 2839072.  Below is a PCAP ASCII
>> snippet of that traffic:
>>
>> 08:25:44.903014 IP 10.0.0.1.50165 > 20.41.62.11.80
>> GET
>> /8SE/77?MI=8BB03BE5E3834C769547B59818DA223A-0CCE46F7241540FBA35EB5FCECFE26F4&LV=1.3.478.0&OS=6.2.9200&HV=1.3.478.0&AG=308&TE=11001&TV=tv1.3.478.0|tmen-us|isBDT1|buproduct|mi8BB03BE5E3834C769547B59818DA223A-0CCE46F7241540FBA35EB5FCECFE26F4|flmsa_bd2|fr1|kvcategory:hot,autosync:True
>> HTTP/1.1
>> Host: g.ceipmsn.com
>> Connection: Keep-Alive
>> Cache-Control: no-cache
>>
>> Cheers,
>> Nathan
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>>


More information about the Emerging-sigs mailing list