[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] MZRevenge
From: Jason Taylor <jastaylor () emergingthreats ! net>
Date: 2020-03-18 13:00:55
Message-ID: CACDW1-URbcM4fPqd3vwZrOU=ccge-bBO3f-f39BQEr1LPSPDjA () mail ! gmail ! com
[Download RAW message or body]
Awesome, thanks John!
We will take a look and get it into today's push.
JT
On Wed, Mar 18, 2020 at 8:51 AM Attack Detection
<attackdetectionteam@gmail.com> wrote:
>
> Hi. We propose antiransomware's rule :
> alert http $EXTERNAL_NET any -> $HOME_NET any
> (
> msg: "MALWARE ET [PTsecurity] MZRevenge Ransomware Server Response";
> flow: established, to_client;
> content: "MZR-"; http_server_body;
> depth: 4;
> classtype: trojan-activity;
> metadata: created_at 2020_03_18;
> sid: 1;
> rev: 1;
> )
> A new sample consist of these four bytes in http_server_content.
> https://www.virustotal.com/gui/file/77eb2d8076866a570484997919f43e8ab25d53c31931c99e38e5d6ef64a1cda3/detection
> https://app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/
> pcaps:
> https://www.dropbox.com/sh/z14gry1xg1j9epa/AABj84wLxw38QetnAZ7mees1a?dl=0
> Best Regards, John.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro \
> http://www.emergingthreats.net
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic