[Emerging-Sigs] KBot C2 Sig

James Lay jlay at slave-tothe-box.net
Wed Feb 12 05:48:51 HST 2020


Solid run here for those that wanna play (me):

https://app.any.run/tasks/1baa222e-1960-42be-9bb5-debc7ba2d630

James


On 2020-02-12 08:39, elhijo at 0lim.net wrote:
> Hi,
> 
> was trying to send you same issue through ET feedback webpage but I
> get bad gateway error every time I submit my request.
> 
> sid:2820288
> 
> All alerts linked to i[1234]4.c.eset.com
> 
> Cheers,
> 
> David
> 
> February 12, 2020 4:30 PM, "Stuart Gonzalez" <stu at perchsecurity.com>
> wrote:
> 
>> Hi Team,
>> 
>> Looking through this sig and wondering if the content match for
>> “.eset.com” should have been negated. I reviewed the references,
>> as well as, other malware repos for this malware and found no
>> indication C2 traffic destined for eset subdomains.
>> 
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN
>> Bolek/Kbot CnC Checkin"; flow:established,to_server; urilen:1;
>> content:"POST"; http_method;
>> pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps";
>> content:".eset.com"; http_host; isdataat:!1,relative;
>> http_header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d
>> 0a|Connection|0d 0a|"; depth:36; fast_pattern; content:!"Accept";
>> content:!"Referer"; metadata: former_category MALWARE;
>> reference:md5,24a497e3993289168455f12d11f0430f;
>> reference:md5,2d7ce4c681bdbddf4ab2740f5fb589dc;
>> classtype:trojan-activity; sid:2820288; rev:5; metadata:created_at
>> 2016_05_20, updated_at 2020_02_11;)
>> 
>> https://securelist.com/kbot-sometimes-they-come-back/96157/
>> 
>> 
> https://www.virustotal.com/gui/file/406a4fcb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/VirusTotal%20Cuckoofork
>> 
>> 
>> [1]
>> 
>> Stuart Gonzalez / Chief Bot Officer
>> stu at perchsecurity.com / 713.591.1602
>> 
>> PERCH
>> perchsecurity.com [2] | Perch Blog [3] | Product Support | SOC
>> Operations
>> 
>> [4] [5] [6]
>> 
>> This e-mail message may contain confidential or legally privileged
>> information and is intended only for the use of the intended
>> recipient(s). Any unauthorized disclosure, dissemination,
>> distribution, copying or the taking of any action in reliance on the
>> information herein is prohibited. E-mails are not secure and cannot
>> be guaranteed to be error free as they can be intercepted, amended,
>> or contain viruses. Anyone who communicates with us by e-mail is
>> deemed to have accepted these risks. Perch Security is not
>> responsible for errors or omissions in this message and denies any
>> responsibility for any damage arising from the use of e-mail. Any
>> opinion and other statement contained in this message and any
>> attachment are solely those of the author and do not necessarily
>> represent those of the company.
> 
> 
> 
> Links:
> ------
> [1] http://perchsecurity.com
> [2] https://perchsecurity.com
> [3] http://www.perchsecurity.com/blog
> [4] https://twitter.com/perchsecurity
> [5] https://www.linkedin.com/company/perchsecurity/
> [6] https://perchsecurity.com/perch-news/index.xml
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net


More information about the Emerging-sigs mailing list