[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Tiny Banker Trojan
From: Darien Huss <dhuss () emergingthreats ! net>
Date: 2017-09-04 12:42:56
Message-ID: 18dae99a-3dd3-740e-486b-d7948b2092c1 () emergingthreats ! net
[Download RAW message or body]
Hi John,
Thank you for the contribution! This should go out tomorrow (holiday in
the US today).
Regards,
Darien
On 09/04/2017 02:23 AM, attackdetectionteam wrote:
> Hey.
> We offer to expand the set of signatures for the detection of Tinba.
> Below is a list of hashes with skips and a link to the dropbox with pcaps.
> I hope that we will transfer them to our git)
>
> Best regards.
>
> John. @attackdetectionteam
>
>
> alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET TROJAN
> [PTsecurity] Tinba Checkin 4";flow: established, to_server; content:
> "POST"; http_method; content: "Content-Length: 157"; nocase;
> http_header; content:!"Content-Type"; nocase; http_header;
> content:!"Accept-Encoding"; nocase; http_header; content:!"Referer:";
> nocase; http_header; content:!"User-Agent:"; nocase;
> http_header;content: "|0080 0000 00|"; http_client_body;offset: 24;
> depth: 5;flowbits:set,ET.Tinba.Checkin;
> reference:md5,ade4d8f0447dac5a8edd14c3d44f410d;classtype:
> trojan-activity; sid: 10000274; rev: 2;)
>
>
> Hash:
>
> 307a3a08670915ed1745e33e12b7bc427a029fcb0b89df7d46ad0d9e954a3883
> 694e77aeb1fe52222eb94f2cd14162e99d1ee6bdd5dd7358fb9414769e7f2c2b
> 77a19e0ab7e3a2b2e59226f147a66a71d3f9ddc885666adaa4581b066625f679
> 6bdf2d6e4f16df989647f9fbca656cef4ded105fd81d231ffbd865b62a31254a
> 2b25860046213bebe734ba7146a307cafc7d79c16beb4c7b5ed4fc6b0638ba4d
> 9c23cad9c202519caf1213b4fa92b18c09e9ce8039bbf01a3386de48191bad0d
> 3e7a5b746e4cdc10189cf1623e56d38c41245f377209a2354a7d655fda62492d
> 5ffbadff412b9bbcffc91639e0c428a9dc5cb8de2962443bf0d80e0cfafa9696
> c7875295598dc7e54e4ebec246fbfbf1c03ebabbebb27fbbb09f38970f1b2c85
> 867c07a22469743e970cb1d5bed027a966f1bcd82429ad35fa08b664ef1d548f
> d445d97c79e6578a194e85619ab0183d930ac4041b73210582f04b4a6d6300ad
> 114e19581a958ed37de1c6094099cd78d8ed4fbcfb38f8f26e816010fdb05e99
>
> https://www.dropbox.com/sh/5hcvfyxfvqkm183/AADQ_gtEDukYOHFBLO88HyPLa?dl=0
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic