<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"MS Mincho";
        panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"\@MS Mincho";
        panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi David,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I tested the portal and could not reproduce the issue, nor have we received any other reports.  If you can provide the details of what you entered that would be helpful.  I’ll let the team speak to the signature itself.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#1D0E00">Brad Woodberg
</span></b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#1D0E00">l<b>
</b>Group Product Manager - Emerging Threats, TAP Campaigns</span><span style="font-size:16.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Arial",sans-serif">Proofpoint, Inc.</span><span style="font-size:12.0pt;font-family:"MS Mincho"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Arial",sans-serif">E:
<a href="mailto:bwoodberg@proofpoint.com"><span style="color:#0563C1">bwoodberg@proofpoint.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><a href="http://www.proofpoint.com/"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;text-decoration:none"><img border="0" width="150" height="33" style="width:1.5625in;height:.3437in" id="Picture_x0020_1" src="cid:image001.png@01D5E191.77801D50" alt="id:image001.png@01D285E1.0101B2B0"></span></a><span style="font-size:16.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#0F6B96">threat protection l compliance l archiving & governance l secure communication</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Emerging-sigs <emerging-sigs-bounces@lists.emergingthreats.net> on behalf of "elhijo@0lim.net" <elhijo@0lim.net><br>
<b>Date: </b>Wednesday, February 12, 2020 at 10:39 AM<br>
<b>To: </b>"emerging-sigs@emergingthreats.net" <emerging-sigs@emergingthreats.net><br>
<b>Subject: </b>Re: [Emerging-Sigs] KBot C2 Sig<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Hi,<br>
<br>
was trying to send you same issue through ET feedback webpage but I get bad gateway error every time I submit my request.<br>
<br>
</span><span style="font-family:"Arial",sans-serif">sid:2820288</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><br>
<br>
All alerts linked to i[1234]4.c.eset.com<br>
<br>
Cheers,<br>
<br>
David<br>
<br>
<br>
February 12, 2020 4:30 PM, "Stuart Gonzalez" <<a href="mailto:stu@perchsecurity.com?to=%22Stuart%20Gonzalez%22%20%3cstu@perchsecurity.com%3e" target="_blank">stu@perchsecurity.com</a>> wrote:<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p><span style="font-family:"Arial",sans-serif">Hi Team,</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
<p><span style="font-family:"Arial",sans-serif">Looking through this sig and wondering if the content match for “.eset.com” should have been negated. I reviewed the references, as well as, other malware repos for this malware and found no indication C2 traffic
 destined for eset subdomains. </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
<p><span style="font-family:"Arial",sans-serif">alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Bolek/Kbot CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; content:".eset.com";
 http_host; isdataat:!1,relative; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:36; fast_pattern; content:!"Accept"; content:!"Referer"; metadata: former_category MALWARE; reference:md5,24a497e3993289168455f12d11f0430f;
 reference:md5,2d7ce4c681bdbddf4ab2740f5fb589dc; classtype:trojan-activity; sid:2820288; rev:5; metadata:created_at 2016_05_20, updated_at 2020_02_11;)</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
<p><span style="font-family:"Arial",sans-serif"><a href="https://urldefense.com/v3/__https:/securelist.com/kbot-sometimes-they-come-back/96157/__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afswfOFXJM$" target="_blank"><span style="color:#0563C1">https://securelist.com/kbot-sometimes-they-come-back/96157/</span></a></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
<p><span style="font-family:"Arial",sans-serif"><a href="https://urldefense.com/v3/__https:/www.virustotal.com/gui/file/406a4fcb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/VirusTotal*20Cuckoofork__;JQ!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0dE7LiA$" target="_blank"><span style="color:#0563C1">https://www.virustotal.com/gui/file/406a4fcb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/VirusTotal%20Cuckoofork</span></a></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
</div>
<table class="MsoNormalTable" border="0" cellpadding="0" width="450" style="width:337.5pt;text-size-adjust: none !important;-ms-text-size-adjust: none !important;-webkit-text-size-adjust: none !important">
<tbody>
<tr>
<td width="90" style="width:67.5pt;padding:0in 0in 0in 0in">
<p style="mso-margin-top-alt:5.0pt;margin-right:7.5pt;margin-bottom:3.0pt;margin-left:0in;line-height:9.0pt">
<span style="font-size:7.5pt;font-family:Helvetica"><a href="https://urldefense.com/v3/__http:/perchsecurity.com__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0rDxOMx$" target="_blank"><span style="color:windowtext;text-decoration:none"><span style="color:#0563C1"><img border="0" width="80" height="80" style="width:.8333in;height:.8333in" id="_x0000_i1030" src="http://cdn.perchsecurity.com/email-service/img/perchy-avatar.png" alt="PERCH"></span></span></a><o:p></o:p></span></p>
</td>
<td width="370" nowrap="" style="width:277.5pt;padding:0in 0in 0in 0in">
<p style="margin-bottom:3.0pt;line-height:9.0pt"><b><span style="font-size:7.5pt;font-family:Helvetica;color:#5C5C5C">Stuart Gonzalez</span></b><span style="font-size:7.5pt;font-family:Helvetica;color:#212121"> /
</span><span style="font-size:7.5pt;font-family:Helvetica;color:#5C5C5C">Chief Bot Officer</span><span style="font-size:7.5pt;font-family:Helvetica;color:#212121"><br>
<a href="mailto:stu@perchsecurity.com" target="_blank"><span style="color:#AEAEAE;text-decoration:none">stu@perchsecurity.com</span></a> /
</span><span style="font-size:7.5pt;font-family:Helvetica;color:#5C5C5C">713.591.1602</span><span style="font-size:7.5pt;font-family:Helvetica;color:#212121"><o:p></o:p></span></p>
<p style="margin-bottom:3.0pt"><b><span style="font-size:7.5pt;font-family:Helvetica;color:#5C5C5C">PERCH</span></b><span style="font-size:7.5pt;font-family:Helvetica"><br>
<a href="https://urldefense.com/v3/__https:/perchsecurity.com__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs-VGCy0A$" target="_blank"><span style="color:#AEAEAE;text-decoration:none">perchsecurity.com</span></a>
<span style="color:#4A158B">|</span> <a href="https://urldefense.com/v3/__http:/www.perchsecurity.com/blog__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0ySdime$" target="_blank">
<span style="color:#AEAEAE;text-decoration:none">Perch Blog</span></a> <span style="color:#4A158B">
|</span> <a href="mailto:help@perchsecurity.com" target="_blank"><span style="color:#AEAEAE;text-decoration:none">Product Support</span></a>
<span style="color:#4A158B">|</span> <a href="mailto:soc@perchsecurity.com" target="_blank">
<span style="color:#AEAEAE;text-decoration:none">SOC Operations</span></a><o:p></o:p></span></p>
<p style="line-height:0%"><span style="font-size:1.0pt;font-family:Helvetica"><a href="https://urldefense.com/v3/__https:/twitter.com/perchsecurity__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs2F_T-3c$" target="_blank"><span style="color:windowtext;text-decoration:none"><span style="color:#0563C1"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="_x0000_i1029" src="https://s3.amazonaws.com/htmlsig-assets/square/twitter.png" alt="Twitter"></span></span></a><img border="0" width="2" style="width:.0208in" id="_x0000_i1028" src="https://s3.amazonaws.com/htmlsig-assets/spacer.gif" alt="https://s3.amazonaws.com/htmlsig-assets/spacer.gif"><a href="https://urldefense.com/v3/__https:/www.linkedin.com/company/perchsecurity/__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs08s1wqf$" target="_blank"><span style="color:windowtext;text-decoration:none"><span style="color:#0563C1"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="_x0000_i1027" src="https://s3.amazonaws.com/htmlsig-assets/square/linkedin.png" alt="LinkedIn"></span></span></a><img border="0" width="2" style="width:.0208in" id="_x0000_i1026" src="https://s3.amazonaws.com/htmlsig-assets/spacer.gif" alt="https://s3.amazonaws.com/htmlsig-assets/spacer.gif"><a href="https://urldefense.com/v3/__https:/perchsecurity.com/perch-news/index.xml__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs_dNq7tG$" target="_blank"><span style="color:windowtext;text-decoration:none"><span style="color:#0563C1"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="_x0000_i1025" src="http://cdn.perchsecurity.com/email-service/img/rss-icon-square.png" alt="Subscribe to our blog!"></span></span></a><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p style="line-height:9.0pt"><span style="font-size:7.0pt;font-family:Helvetica;color:#5C5C5C">This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure,
 dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates
 with us by e-mail is deemed to have accepted these risks. Perch Security is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this
 message and any attachment are solely those of the author and do not necessarily represent those of the company.<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><br>
<br>
<br>
<o:p></o:p></span></p>
</div>
</div>
</body>
</html>