[Emerging-Sigs] MZRevenge

Attack Detection attackdetectionteam at gmail.com
Wed Mar 18 03:50:57 HDT 2020


Hi. We propose antiransomware's rule :
alert http $EXTERNAL_NET any -> $HOME_NET any
(
msg: "MALWARE ET [PTsecurity] MZRevenge Ransomware Server Response";
flow: established, to_client;
content: "MZR-"; http_server_body;
depth: 4;
classtype: trojan-activity;
metadata: created_at 2020_03_18;
sid: 1;
rev: 1;
)
A new sample consist of these four bytes in http_server_content.
https://www.virustotal.com/gui/file/77eb2d8076866a570484997919f43e8ab25d53c31931c99e38e5d6ef64a1cda3/detection
https://app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/
pcaps:
https://www.dropbox.com/sh/z14gry1xg1j9epa/AABj84wLxw38QetnAZ7mees1a?dl=0
Best Regards, John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200318/153d9332/attachment.html>


More information about the Emerging-sigs mailing list