*********************** snort-edge etpro *********************** [***] Results from Oinkmaster started Tue Nov 12 19:48:20 2019 [***] [+++] Added rules: [+++] 2009545 - ET USER_AGENTS User-Agent (_TEST_) (user_agents.rules) 2028963 - ET TROJAN DADJOKE/Rail Tycoon Initial Macro Execution (trojan.rules) 2028964 - ET TROJAN DADJOKE/Rail Tycoon Payload Extraction (trojan.rules) 2028965 - ET TROJAN DADJOKE/Rail Tycoon Payload Execution (trojan.rules) 2839364 - ETPRO POLICY Inbound Doc Dropping Suspect Filetype (exe/dll/vbs/bat) to Persistence Registry Location (policy.rules) 2839369 - ETPRO TROJAN Win32/Snojan Variant Uploading EXE (trojan.rules) 2839370 - ETPRO TROJAN ELF/Mirai Variant CnC Activity (trojan.rules) 2839372 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules) 2839373 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules) 2839374 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 1) (trojan.rules) 2839375 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 2) (trojan.rules) 2839376 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 3) (trojan.rules) 2839377 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 4) (trojan.rules) 2839378 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 5) (trojan.rules) 2839379 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 (current_events.rules) 2839380 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 (current_events.rules) 2839381 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 (current_events.rules) 2839382 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 (current_events.rules) 2839383 - ETPRO CURRENT_EVENTS Successful Xfinity/Comcast Phish 2019-11-12 (current_events.rules) 2839384 - ETPRO CURRENT_EVENTS Successful Prima Banka Phish 2019-11-12 (current_events.rules) 2839385 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2019-11-12 (current_events.rules) 2839386 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2019-11-12 (current_events.rules) 2839387 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-11-12 (current_events.rules) 2839388 - ETPRO CURRENT_EVENTS Successful Stripe Phish 2019-11-12 (current_events.rules) 2839389 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 (current_events.rules) 2839390 - ETPRO CURRENT_EVENTS Successful Commbank Phish 2019-11-12 (current_events.rules) 2839391 - ETPRO CURRENT_EVENTS Successful Instagram TK Phish 2019-11-12 (current_events.rules) 2839392 - ETPRO TROJAN VNCStartServer USR Variant CnC Beacon (trojan.rules) 2839393 - ETPRO TROJAN VNCStartServer BOT Variant CnC Beacon (trojan.rules) 2839395 - ETPRO TROJAN Win32/Wacatac.B Variant Update Request (trojan.rules) 2839396 - ETPRO TROJAN Win32/Wacatac.B Variant Download Request (trojan.rules) 2839397 - ETPRO TROJAN Win32/Wacatac.B Variant Response (trojan.rules) 2839398 - ETPRO TROJAN Win32/Wacatac.B Variant Successful Payload Download (trojan.rules) 2839399 - ETPRO TROJAN MSIL/Gen.Downloader - CnC Checkin via MySQL (trojan.rules) 2839400 - ETPRO TROJAN MSIL/Gen.Downloader Receiving Hex Encoded Payload List M1 (trojan.rules) 2839401 - ETPRO TROJAN MSIL/Gen.Downloader Receiving Hex Encoded Payload List M2 (trojan.rules) [///] Modified active rules: [///] 2027325 - ET TROJAN CobaltStrike SMB P2P Default Msagent Named Pipe Interaction (trojan.rules) [---] Removed rules: [---] 2009545 - ET MALWARE User-Agent (_TEST_) (malware.rules) 2839364 - ETPRO HUNTING Inbound Doc Dropping Suspect Filetype (exe/dll/vbs/bat) to Persistence Registry Location (hunting.rules) [+++] Added non-rule lines: [+++] -> Added to sid-msg.map (36): 2009545 || ET USER_AGENTS User-Agent (_TEST_) || url,doc.emergingthreats.net/2009545 2028963 || ET TROJAN DADJOKE/Rail Tycoon Initial Macro Execution || md5,4c89d5d8016581060d9781433cfb0bb5 2028964 || ET TROJAN DADJOKE/Rail Tycoon Payload Extraction || md5,4c89d5d8016581060d9781433cfb0bb5 2028965 || ET TROJAN DADJOKE/Rail Tycoon Payload Execution || md5,4c89d5d8016581060d9781433cfb0bb5 2839364 || ETPRO POLICY Inbound Doc Dropping Suspect Filetype (exe/dll/vbs/bat) to Persistence Registry Location 2839369 || ETPRO TROJAN Win32/Snojan Variant Uploading EXE || md5,8410533d9a2aa5bc9d2d9800f5dbde24 2839370 || ETPRO TROJAN ELF/Mirai Variant CnC Activity || md5,e3289b4048d2cfa57aa67f3dd16459c6 2839372 || ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) 2839373 || ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) 2839374 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 1) || md5,a4eb3f081eca10f85a65b8905125fac5 || url,mining.bitcoin.cz/stratum-mining || url,www.btcguild.com/new_protocol.php || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html 2839375 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 2) || md5,040d4e404739b714bc5f26f7be72458d || url,mining.bitcoin.cz/stratum-mining || url,www.btcguild.com/new_protocol.php || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html 2839376 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 3) || md5,cef80a5b0727d14368e5615ed2dbddf1 || url,mining.bitcoin.cz/stratum-mining || url,www.btcguild.com/new_protocol.php || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html 2839377 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 4) || md5,f910c515dc488773f60c86f72998a851 || url,mining.bitcoin.cz/stratum-mining || url,www.btcguild.com/new_protocol.php || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html 2839378 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-11-11 5) || md5,df5b4880cce87aadeabdaad0c526adfb || url,mining.bitcoin.cz/stratum-mining || url,www.btcguild.com/new_protocol.php || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html 2839379 || ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 2839380 || ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 2839381 || ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 2839382 || ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 2839383 || ETPRO CURRENT_EVENTS Successful Xfinity/Comcast Phish 2019-11-12 2839384 || ETPRO CURRENT_EVENTS Successful Prima Banka Phish 2019-11-12 2839385 || ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2019-11-12 2839386 || ETPRO CURRENT_EVENTS Successful Linkedin Phish 2019-11-12 2839387 || ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-11-12 2839388 || ETPRO CURRENT_EVENTS Successful Stripe Phish 2019-11-12 2839389 || ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-11-12 2839390 || ETPRO CURRENT_EVENTS Successful Commbank Phish 2019-11-12 2839391 || ETPRO CURRENT_EVENTS Successful Instagram TK Phish 2019-11-12 2839392 || ETPRO TROJAN VNCStartServer USR Variant CnC Beacon || md5,d66956e0ee70a60e19a4f310339d28a9 2839393 || ETPRO TROJAN VNCStartServer BOT Variant CnC Beacon || md5,d66956e0ee70a60e19a4f310339d28a9 2839395 || ETPRO TROJAN Win32/Wacatac.B Variant Update Request || md5,a8819db1fa758fd9f1d501dbb50f454f 2839396 || ETPRO TROJAN Win32/Wacatac.B Variant Download Request || md5,a8819db1fa758fd9f1d501dbb50f454f 2839397 || ETPRO TROJAN Win32/Wacatac.B Variant Response || md5,a8819db1fa758fd9f1d501dbb50f454f || md5,a8819db1fa758fd9f1d501dbb50f454f 2839398 || ETPRO TROJAN Win32/Wacatac.B Variant Successful Payload Download || md5,a8819db1fa758fd9f1d501dbb50f454f 2839399 || ETPRO TROJAN MSIL/Gen.Downloader - CnC Checkin via MySQL || md5,af9958fd510d5a76ad2b237a481347ca 2839400 || ETPRO TROJAN MSIL/Gen.Downloader Receiving Hex Encoded Payload List M1 || md5,af9958fd510d5a76ad2b237a481347ca 2839401 || ETPRO TROJAN MSIL/Gen.Downloader Receiving Hex Encoded Payload List M2 || md5,af9958fd510d5a76ad2b237a481347ca [---] Removed non-rule lines: [---] -> Removed from sid-msg.map (2): 2009545 || ET MALWARE User-Agent (_TEST_) || url,doc.emergingthreats.net/2009545 2839364 || ETPRO HUNTING Inbound Doc Dropping Suspect Filetype (exe/dll/vbs/bat) to Persistence Registry Location