[Emerging-Sigs] MZRevenge

Jason Taylor jastaylor at emergingthreats.net
Wed Mar 18 04:00:55 HDT 2020


Awesome, thanks John!

We will take a look and get it into today's push.

JT

On Wed, Mar 18, 2020 at 8:51 AM Attack Detection
<attackdetectionteam at gmail.com> wrote:
>
> Hi. We propose antiransomware's rule :
> alert http $EXTERNAL_NET any -> $HOME_NET any
> (
> msg: "MALWARE ET [PTsecurity] MZRevenge Ransomware Server Response";
> flow: established, to_client;
> content: "MZR-"; http_server_body;
> depth: 4;
> classtype: trojan-activity;
> metadata: created_at 2020_03_18;
> sid: 1;
> rev: 1;
> )
> A new sample consist of these four bytes in http_server_content.
> https://www.virustotal.com/gui/file/77eb2d8076866a570484997919f43e8ab25d53c31931c99e38e5d6ef64a1cda3/detection
> https://app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/
> pcaps:
> https://www.dropbox.com/sh/z14gry1xg1j9epa/AABj84wLxw38QetnAZ7mees1a?dl=0
> Best Regards, John.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


More information about the Emerging-sigs mailing list