*********************** suricata-4.0-enhanced open-nogpl *********************** [***] Results from Oinkmaster started Wed Aug 26 18:00:30 2020 [***] [+++] Added rules: [+++] 2027970 - ET TROJAN Possible PHP.MAILER WebShell Register Shutdown Function Request Inbound (emerging-trojan.rules) 2028570 - ET TROJAN Possible TransparentTribe APT CnC Activity (emerging-trojan.rules) 2028909 - ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query (emerging-trojan.rules) 2028910 - ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query (emerging-trojan.rules) 2028927 - ET TROJAN StrongPity CnC Domain Observed in DNS Query (emerging-trojan.rules) 2029238 - ET TROJAN Legion Loader Activity Observed (emerging-trojan.rules) 2029348 - ET TROJAN DonotGroup CnC Observed in DNS Query (emerging-trojan.rules) 2029523 - ET TROJAN Fake ProtonVPN/AZORult CnC Domain Query (emerging-trojan.rules) 2029574 - ET TROJAN SharpExec EXE Lateral Movement Tool Downloaded (emerging-trojan.rules) 2029644 - ET TROJAN [PTsecurity] MZRevenge Ransomware Server Response (emerging-trojan.rules) 2029991 - ET TROJAN JS Skimmer Domain in DNS Lookup (emerging-trojan.rules) 2029992 - ET TROJAN JS Skimmer Domain in DNS Lookup (emerging-trojan.rules) 2030104 - ET TROJAN Nazar Implant - Sending Ping Response to CnC (emerging-trojan.rules) 2030197 - ET TROJAN eleethub .com Domain in DNS Lookup (eleethub .com) (emerging-trojan.rules) 2030207 - ET TROJAN BF Botnet CnC Checkin (emerging-trojan.rules) 2030438 - ET TROJAN Evil Google Drive Download (emerging-trojan.rules) 2030550 - ET TROJAN MASSLOGGER Client Data Exfil (POST) M2 (emerging-trojan.rules) 2030719 - ET TROJAN Mekotio HTTP Method (111SA) (emerging-trojan.rules) 2030795 - ET TROJAN Observed Get2 CnC Domain in TLS SNI (emerging-trojan.rules) 2030796 - ET TROJAN Observed Get2 CnC Domain in TLS SNI (emerging-trojan.rules) 2030797 - ET TROJAN W32/Downloader_x.EJK!tr CnC Activity (emerging-trojan.rules) 2030798 - ET MALWARE Win32/InstallCore.GF CnC Activity (emerging-malware.rules) 2030799 - ET POLICY Observed Packity Proxy Domain in TLS SNI (emerging-policy.rules) 2030800 - ET POLICY Packity Proxy Connection (emerging-policy.rules) 2030801 - ET TROJAN Grandoreiro Downloader Activity (emerging-trojan.rules) [///] Modified active rules: [///] 2003635 - ET TROJAN Generic Password Stealer User Agent Detected (RookIE) (emerging-trojan.rules) 2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (emerging-policy.rules) 2025496 - ET TROJAN Observed GandCrab Payment Domain (gandcrab in DNS Lookup) (emerging-trojan.rules) 2026361 - ET TROJAN MS_D0wnl0ad3r Screenshot Upload (emerging-trojan.rules) 2026363 - ET TROJAN MS_D0wnl0ad3r Checkin (emerging-trojan.rules) 2026413 - ET INFO Possible System Enumeration via WMI Queries (AntiVirusProduct) (emerging-info.rules) 2026414 - ET INFO Possible System Enumeration via WMI Queries (AntiSpywareProduct) (emerging-info.rules) 2026415 - ET INFO Possible System Enumeration via WMI Queries (FirewallProduct) (emerging-info.rules) 2026416 - ET TROJAN Suspected DNS2TCP Auth (emerging-trojan.rules) 2026417 - ET TROJAN Suspected DNS2TCP Connect (emerging-trojan.rules) 2026418 - ET TROJAN Suspected fraud-bridge DNS Tunnel (emerging-trojan.rules) 2026421 - ET CURRENT_EVENTS Underminer EK Key POST (emerging-current_events.rules) 2026422 - ET CURRENT_EVENTS Underminer EK Resource File Download M1 (emerging-current_events.rules) 2026423 - ET CURRENT_EVENTS Underminer EK Resource File Download M2 (emerging-current_events.rules) 2026424 - ET CURRENT_EVENTS Underminer EK Plugin Check (emerging-current_events.rules) 2026425 - ET CURRENT_EVENTS Underminer EK Flash/WAV Loader (emerging-current_events.rules) 2026464 - ET SCAN Hello Peppa! Scan Activity (emerging-scan.rules) 2026466 - ET CURRENT_EVENTS Successful Generic Phish (set) 2018-10-10 (emerging-current_events.rules) 2026473 - ET TROJAN Kraken Ransomware End Activity (emerging-trojan.rules) 2026474 - ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M1 2018-10-12 (emerging-web_client.rules) 2026492 - ET CURRENT_EVENTS Successful Generic Phish (set) 2018-10-16 (emerging-current_events.rules) 2026493 - ET CURRENT_EVENTS Successful Generic Phish (set) 2018-10-16 (emerging-current_events.rules) 2026515 - ET INFO Suspicious Redirect to Download EXE from Bitbucket (emerging-info.rules) 2026516 - ET CURRENT_EVENTS Possible Successful Phish - Generic Credential POST to Ngrok.io (emerging-current_events.rules) 2026518 - ET CURRENT_EVENTS Successful Generic Phish (set) 2018-10-18 (emerging-current_events.rules) 2026519 - ET USER_AGENTS Suspicious User-Agent (Windows XP) (emerging-user_agents.rules) 2026520 - ET USER_AGENTS Suspicious User-Agent (Windows 8) (emerging-user_agents.rules) 2026522 - ET USER_AGENTS Suspicious User-Agent (Windows 7) (emerging-user_agents.rules) 2026523 - ET TROJAN ELF/Chacha.DDoS/Xor.DDoS Stage 2 CnC Checkin (emerging-trojan.rules) 2026527 - ET TROJAN Zebrocy Backdoor CnC Activity (emerging-trojan.rules) 2028613 - ET MALWARE BundledInstaller PUA/PUP Downloader (emerging-malware.rules) 2029657 - ET CURRENT_EVENTS Successful Generic Phish (302) 2016-12-16 (emerging-current_events.rules) 2402000 - ET DROP Dshield Block Listed Source group 1 (dshield.rules) 2403300 - ET CINS Active Threat Intelligence Poor Reputation IP group 1 (ciarmy.rules) 2403301 - ET CINS Active Threat Intelligence Poor Reputation IP group 2 (ciarmy.rules) 2403302 - ET CINS Active Threat Intelligence Poor Reputation IP group 3 (ciarmy.rules) 2403303 - ET CINS Active Threat Intelligence Poor Reputation IP group 4 (ciarmy.rules) 2403304 - ET CINS Active Threat Intelligence Poor Reputation IP group 5 (ciarmy.rules) 2403305 - ET CINS Active Threat Intelligence Poor Reputation IP group 6 (ciarmy.rules) 2403306 - ET CINS Active Threat Intelligence Poor Reputation IP group 7 (ciarmy.rules) 2403307 - ET CINS Active Threat Intelligence Poor Reputation IP group 8 (ciarmy.rules) 2403308 - ET CINS Active Threat Intelligence Poor Reputation IP group 9 (ciarmy.rules) 2403309 - ET CINS Active Threat Intelligence Poor Reputation IP group 10 (ciarmy.rules) 2403310 - ET CINS Active Threat Intelligence Poor Reputation IP group 11 (ciarmy.rules) 2403311 - ET CINS Active Threat Intelligence Poor Reputation IP group 12 (ciarmy.rules) 2403312 - ET CINS Active Threat Intelligence Poor Reputation IP group 13 (ciarmy.rules) 2403313 - ET CINS Active Threat Intelligence Poor Reputation IP group 14 (ciarmy.rules) 2403314 - ET CINS Active Threat Intelligence Poor Reputation IP group 15 (ciarmy.rules) 2403315 - ET CINS Active Threat Intelligence Poor Reputation IP group 16 (ciarmy.rules) 2403316 - ET CINS Active Threat Intelligence Poor Reputation IP group 17 (ciarmy.rules) 2403317 - ET CINS Active Threat Intelligence Poor Reputation IP group 18 (ciarmy.rules) 2403318 - ET CINS Active Threat Intelligence Poor Reputation IP group 19 (ciarmy.rules) 2403319 - ET CINS Active Threat Intelligence Poor Reputation IP group 20 (ciarmy.rules) 2403320 - ET CINS Active Threat Intelligence Poor Reputation IP group 21 (ciarmy.rules) 2403321 - ET CINS Active Threat Intelligence Poor Reputation IP group 22 (ciarmy.rules) 2403322 - ET CINS Active Threat Intelligence Poor Reputation IP group 23 (ciarmy.rules) 2403323 - ET CINS Active Threat Intelligence Poor Reputation IP group 24 (ciarmy.rules) 2403324 - ET CINS Active Threat Intelligence Poor Reputation IP group 25 (ciarmy.rules) 2403325 - ET CINS Active Threat Intelligence Poor Reputation IP group 26 (ciarmy.rules) 2403326 - ET CINS Active Threat Intelligence Poor Reputation IP group 27 (ciarmy.rules) 2403327 - ET CINS Active Threat Intelligence Poor Reputation IP group 28 (ciarmy.rules) 2403328 - ET CINS Active Threat Intelligence Poor Reputation IP group 29 (ciarmy.rules) 2403329 - ET CINS Active Threat Intelligence Poor Reputation IP group 30 (ciarmy.rules) 2403330 - ET CINS Active Threat Intelligence Poor Reputation IP group 31 (ciarmy.rules) 2403331 - ET CINS Active Threat Intelligence Poor Reputation IP group 32 (ciarmy.rules) 2403332 - ET CINS Active Threat Intelligence Poor Reputation IP group 33 (ciarmy.rules) 2403333 - ET CINS Active Threat Intelligence Poor Reputation IP group 34 (ciarmy.rules) 2403334 - ET CINS Active Threat Intelligence Poor Reputation IP group 35 (ciarmy.rules) 2403335 - ET CINS Active Threat Intelligence Poor Reputation IP group 36 (ciarmy.rules) 2403336 - ET CINS Active Threat Intelligence Poor Reputation IP group 37 (ciarmy.rules) 2403337 - ET CINS Active Threat Intelligence Poor Reputation IP group 38 (ciarmy.rules) 2403338 - ET CINS Active Threat Intelligence Poor Reputation IP group 39 (ciarmy.rules) 2403339 - ET CINS Active Threat Intelligence Poor Reputation IP group 40 (ciarmy.rules) 2403340 - ET CINS Active Threat Intelligence Poor Reputation IP group 41 (ciarmy.rules) 2403341 - ET CINS Active Threat Intelligence Poor Reputation IP group 42 (ciarmy.rules) 2403342 - ET CINS Active Threat Intelligence Poor Reputation IP group 43 (ciarmy.rules) 2403343 - ET CINS Active Threat Intelligence Poor Reputation IP group 44 (ciarmy.rules) 2403344 - ET CINS Active Threat Intelligence Poor Reputation IP group 45 (ciarmy.rules) 2403345 - ET CINS Active Threat Intelligence Poor Reputation IP group 46 (ciarmy.rules) 2403346 - ET CINS Active Threat Intelligence Poor Reputation IP group 47 (ciarmy.rules) 2403347 - ET CINS Active Threat Intelligence Poor Reputation IP group 48 (ciarmy.rules) 2403348 - ET CINS Active Threat Intelligence Poor Reputation IP group 49 (ciarmy.rules) 2403349 - ET CINS Active Threat Intelligence Poor Reputation IP group 50 (ciarmy.rules) 2403350 - ET CINS Active Threat Intelligence Poor Reputation IP group 51 (ciarmy.rules) 2403351 - ET CINS Active Threat Intelligence Poor Reputation IP group 52 (ciarmy.rules) 2403352 - ET CINS Active Threat Intelligence Poor Reputation IP group 53 (ciarmy.rules) 2403353 - ET CINS Active Threat Intelligence Poor Reputation IP group 54 (ciarmy.rules) 2403354 - ET CINS Active Threat Intelligence Poor Reputation IP group 55 (ciarmy.rules) 2403355 - ET CINS Active Threat Intelligence Poor Reputation IP group 56 (ciarmy.rules) 2403356 - ET CINS Active Threat Intelligence Poor Reputation IP group 57 (ciarmy.rules) 2403357 - ET CINS Active Threat Intelligence Poor Reputation IP group 58 (ciarmy.rules) 2403358 - ET CINS Active Threat Intelligence Poor Reputation IP group 59 (ciarmy.rules) 2403359 - ET CINS Active Threat Intelligence Poor Reputation IP group 60 (ciarmy.rules) 2403360 - ET CINS Active Threat Intelligence Poor Reputation IP group 61 (ciarmy.rules) 2403361 - ET CINS Active Threat Intelligence Poor Reputation IP group 62 (ciarmy.rules) 2403362 - ET CINS Active Threat Intelligence Poor Reputation IP group 63 (ciarmy.rules) 2403363 - ET CINS Active Threat Intelligence Poor Reputation IP group 64 (ciarmy.rules) 2403364 - ET CINS Active Threat Intelligence Poor Reputation IP group 65 (ciarmy.rules) 2403365 - ET CINS Active Threat Intelligence Poor Reputation IP group 66 (ciarmy.rules) 2403366 - ET CINS Active Threat Intelligence Poor Reputation IP group 67 (ciarmy.rules) 2403367 - ET CINS Active Threat Intelligence Poor Reputation IP group 68 (ciarmy.rules) 2403368 - ET CINS Active Threat Intelligence Poor Reputation IP group 69 (ciarmy.rules) 2403369 - ET CINS Active Threat Intelligence Poor Reputation IP group 70 (ciarmy.rules) 2403370 - ET CINS Active Threat Intelligence Poor Reputation IP group 71 (ciarmy.rules) 2403371 - ET CINS Active Threat Intelligence Poor Reputation IP group 72 (ciarmy.rules) 2403372 - ET CINS Active Threat Intelligence Poor Reputation IP group 73 (ciarmy.rules) 2403373 - ET CINS Active Threat Intelligence Poor Reputation IP group 74 (ciarmy.rules) 2403374 - ET CINS Active Threat Intelligence Poor Reputation IP group 75 (ciarmy.rules) 2403375 - ET CINS Active Threat Intelligence Poor Reputation IP group 76 (ciarmy.rules) 2403376 - ET CINS Active Threat Intelligence Poor Reputation IP group 77 (ciarmy.rules) 2403377 - ET CINS Active Threat Intelligence Poor Reputation IP group 78 (ciarmy.rules) 2403378 - ET CINS Active Threat Intelligence Poor Reputation IP group 79 (ciarmy.rules) 2403379 - ET CINS Active Threat Intelligence Poor Reputation IP group 80 (ciarmy.rules) 2403380 - ET CINS Active Threat Intelligence Poor Reputation IP group 81 (ciarmy.rules) 2403381 - ET CINS Active Threat Intelligence Poor Reputation IP group 82 (ciarmy.rules) 2403382 - ET CINS Active Threat Intelligence Poor Reputation IP group 83 (ciarmy.rules) 2403383 - ET CINS Active Threat Intelligence Poor Reputation IP group 84 (ciarmy.rules) 2403384 - ET CINS Active Threat Intelligence Poor Reputation IP group 85 (ciarmy.rules) 2403385 - ET CINS Active Threat Intelligence Poor Reputation IP group 86 (ciarmy.rules) 2403386 - ET CINS Active Threat Intelligence Poor Reputation IP group 87 (ciarmy.rules) 2403387 - ET CINS Active Threat Intelligence Poor Reputation IP group 88 (ciarmy.rules) 2403388 - ET CINS Active Threat Intelligence Poor Reputation IP group 89 (ciarmy.rules) 2403389 - ET CINS Active Threat Intelligence Poor Reputation IP group 90 (ciarmy.rules) 2403390 - ET CINS Active Threat Intelligence Poor Reputation IP group 91 (ciarmy.rules) 2403391 - ET CINS Active Threat Intelligence Poor Reputation IP group 92 (ciarmy.rules) 2403392 - ET CINS Active Threat Intelligence Poor Reputation IP group 93 (ciarmy.rules) 2403393 - ET CINS Active Threat Intelligence Poor Reputation IP group 94 (ciarmy.rules) 2403394 - ET CINS Active Threat Intelligence Poor Reputation IP group 95 (ciarmy.rules) 2403395 - ET CINS Active Threat Intelligence Poor Reputation IP group 96 (ciarmy.rules) 2403396 - ET CINS Active Threat Intelligence Poor Reputation IP group 97 (ciarmy.rules) 2403397 - ET CINS Active Threat Intelligence Poor Reputation IP group 98 (ciarmy.rules) 2403398 - ET CINS Active Threat Intelligence Poor Reputation IP group 99 (ciarmy.rules) 2403399 - ET CINS Active Threat Intelligence Poor Reputation IP group 100 (ciarmy.rules) 2405000 - ET CNC Shadowserver Reported CnC Server Port 80 Group 1 (botcc.portgrouped.rules) 2405001 - ET CNC Shadowserver Reported CnC Server Port 81 Group 1 (botcc.portgrouped.rules) 2405002 - ET CNC Shadowserver Reported CnC Server Port 443 Group 1 (botcc.portgrouped.rules) 2405003 - ET CNC Shadowserver Reported CnC Server Port 1337 Group 1 (botcc.portgrouped.rules) 2405004 - ET CNC Shadowserver Reported CnC Server Port 2319 Group 1 (botcc.portgrouped.rules) 2405005 - ET CNC Shadowserver Reported CnC Server Port 4042 Group 1 (botcc.portgrouped.rules) 2405006 - ET CNC Shadowserver Reported CnC Server Port 4244 Group 1 (botcc.portgrouped.rules) 2405007 - ET CNC Shadowserver Reported CnC Server Port 6556 Group 1 (botcc.portgrouped.rules) 2405008 - ET CNC Shadowserver Reported CnC Server Port 6667 Group 1 (botcc.portgrouped.rules) 2405009 - ET CNC Shadowserver Reported CnC Server Port 6668 Group 1 (botcc.portgrouped.rules) 2405010 - ET CNC Shadowserver Reported CnC Server Port 6768 Group 1 (botcc.portgrouped.rules) 2405011 - ET CNC Shadowserver Reported CnC Server Port 7000 Group 1 (botcc.portgrouped.rules) 2405012 - ET CNC Shadowserver Reported CnC Server Port 8585 Group 1 (botcc.portgrouped.rules) 2405013 - ET CNC Shadowserver Reported CnC Server Port 9000 Group 1 (botcc.portgrouped.rules) 2405014 - ET CNC Shadowserver Reported CnC Server Port 10324 Group 1 (botcc.portgrouped.rules) 2405015 - ET CNC Shadowserver Reported CnC Server Port 11830 Group 1 (botcc.portgrouped.rules) 2405016 - ET CNC Shadowserver Reported CnC Server Port 13001 Group 1 (botcc.portgrouped.rules) 2405017 - ET CNC Shadowserver Reported CnC Server Port 33333 Group 1 (botcc.portgrouped.rules) 2525000 - ET 3CORESec Poor Reputation IP group 1 (3coresec.rules) 2525001 - ET 3CORESec Poor Reputation IP group 2 (3coresec.rules) 2525002 - ET 3CORESec Poor Reputation IP group 3 (3coresec.rules) 2525003 - ET 3CORESec Poor Reputation IP group 4 (3coresec.rules) 2525004 - ET 3CORESec Poor Reputation IP group 5 (3coresec.rules) 2525005 - ET 3CORESec Poor Reputation IP group 6 (3coresec.rules) 2525006 - ET 3CORESec Poor Reputation IP group 7 (3coresec.rules) 2525007 - ET 3CORESec Poor Reputation IP group 8 (3coresec.rules) 2525008 - ET 3CORESec Poor Reputation IP group 9 (3coresec.rules) 2525009 - ET 3CORESec Poor Reputation IP group 10 (3coresec.rules) 2525010 - ET 3CORESec Poor Reputation IP group 11 (3coresec.rules) 2525011 - ET 3CORESec Poor Reputation IP group 12 (3coresec.rules) 2525012 - ET 3CORESec Poor Reputation IP group 13 (3coresec.rules) 2525013 - ET 3CORESec Poor Reputation IP group 14 (3coresec.rules) 2525014 - ET 3CORESec Poor Reputation IP group 15 (3coresec.rules) 2525015 - ET 3CORESec Poor Reputation IP group 16 (3coresec.rules) 2525016 - ET 3CORESec Poor Reputation IP group 17 (3coresec.rules) [---] Removed rules: [---] 2027970 - ET MALWARE Possible PHP.MAILER WebShell Register Shutdown Function Request Inbound (emerging-malware.rules) 2028570 - ET MALWARE Possible TransparentTribe APT CnC Activity (emerging-malware.rules) 2028909 - ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query (emerging-malware.rules) 2028910 - ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query (emerging-malware.rules) 2028927 - ET MALWARE StrongPity CnC Domain Observed in DNS Query (emerging-malware.rules) 2029238 - ET MALWARE Legion Loader Activity Observed (emerging-malware.rules) 2029348 - ET MALWARE DonotGroup CnC Observed in DNS Query (emerging-malware.rules) 2029523 - ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query (emerging-malware.rules) 2029574 - ET MALWARE SharpExec EXE Lateral Movement Tool Downloaded (emerging-malware.rules) 2029644 - ET MALWARE [PTsecurity] MZRevenge Ransomware Server Response (emerging-malware.rules) 2029991 - ET MALWARE JS Skimmer Domain in DNS Lookup (emerging-malware.rules) 2029992 - ET MALWARE JS Skimmer Domain in DNS Lookup (emerging-malware.rules) 2030104 - ET MALWARE Nazar Implant - Sending Ping Response to CnC (emerging-malware.rules) 2030197 - ET MALWARE eleethub .com Domain in DNS Lookup (eleethub .com) (emerging-malware.rules) 2030207 - ET MALWARE BF Botnet CnC Checkin (emerging-malware.rules) 2030438 - ET MALWARE Evil Google Drive Download (emerging-malware.rules) 2030550 - ET MALWARE MASSLOGGER Client Data Exfil (POST) M2 (emerging-malware.rules) 2030719 - ET MALWARE Mekotio HTTP Method (111SA) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to 3coresec.rules (1): # Version 29 -> Added to sid-msg.map (33): 2027970 || ET TROJAN Possible PHP.MAILER WebShell Register Shutdown Function Request Inbound || url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/ 2028570 || ET TROJAN Possible TransparentTribe APT CnC Activity || url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA 2028909 || ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query || url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/ 2028910 || ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query || url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/ 2028927 || ET TROJAN StrongPity CnC Domain Observed in DNS Query 2029238 || ET TROJAN Legion Loader Activity Observed 2029348 || ET TROJAN DonotGroup CnC Observed in DNS Query 2029523 || ET TROJAN Fake ProtonVPN/AZORult CnC Domain Query || url,securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/ 2029574 || ET TROJAN SharpExec EXE Lateral Movement Tool Downloaded || url,github.com/anthemtotheego/SharpExec 2029644 || ET TROJAN [PTsecurity] MZRevenge Ransomware Server Response || url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/ 2029991 || ET TROJAN JS Skimmer Domain in DNS Lookup || url,twitter.com/MBThreatIntel/status/1252338975265546242 2029992 || ET TROJAN JS Skimmer Domain in DNS Lookup || url,twitter.com/MBThreatIntel/status/1252338975265546242 2030104 || ET TROJAN Nazar Implant - Sending Ping Response to CnC || url,research.checkpoint.com/2020/nazar-spirits-of-the-past/ 2030197 || ET TROJAN eleethub .com Domain in DNS Lookup (eleethub .com) || url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet 2030207 || ET TROJAN BF Botnet CnC Checkin || md5,3c475b319959069053191e740822fcd6 2030438 || ET TROJAN Evil Google Drive Download || md5,f5ee4c578976587586202c15e98997ed 2030550 || ET TROJAN MASSLOGGER Client Data Exfil (POST) M2 || md5,79efca38c3230aaae9dd8bb11f15fe43 2030719 || ET TROJAN Mekotio HTTP Method (111SA) || url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/ 2030795 || ET TROJAN Observed Get2 CnC Domain in TLS SNI 2030796 || ET TROJAN Observed Get2 CnC Domain in TLS SNI 2030797 || ET TROJAN W32/Downloader_x.EJK!tr CnC Activity || md5,0241deba165817083c66fae17e09d68f 2030798 || ET MALWARE Win32/InstallCore.GF CnC Activity || md5,37cbc5d7eaa9ce6a097950aa051080b5 2030799 || ET POLICY Observed Packity Proxy Domain in TLS SNI || md5,47a200e64ea11b25efc9bf78c4b03a1c 2030800 || ET POLICY Packity Proxy Connection || md5,9d245ac24d0dad591d01d2ef52da3ead 2030801 || ET TROJAN Grandoreiro Downloader Activity || url,app.any.run/tasks/aa328aa8-e521-429f-9c42-9583f7e87c76/ 2500060 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 31 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2520124 || ET TOR Known Tor Exit Node Traffic group 125 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520125 || ET TOR Known Tor Exit Node Traffic group 126 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522786 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 787 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522787 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 788 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522788 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 789 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522789 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 790 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2522790 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 791 || url,doc.emergingthreats.net/bin/view/Main/TorRules [---] Removed non-rule lines: [---] -> Removed from 3coresec.rules (1): # Version 28 -> Removed from sid-msg.map (18): 2027970 || ET MALWARE Possible PHP.MAILER WebShell Register Shutdown Function Request Inbound || url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/ 2028570 || ET MALWARE Possible TransparentTribe APT CnC Activity || url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA 2028909 || ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query || url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/ 2028910 || ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query || url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/ 2028927 || ET MALWARE StrongPity CnC Domain Observed in DNS Query 2029238 || ET MALWARE Legion Loader Activity Observed 2029348 || ET MALWARE DonotGroup CnC Observed in DNS Query 2029523 || ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query || url,securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/ 2029574 || ET MALWARE SharpExec EXE Lateral Movement Tool Downloaded || url,github.com/anthemtotheego/SharpExec 2029644 || ET MALWARE [PTsecurity] MZRevenge Ransomware Server Response || url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/ 2029991 || ET MALWARE JS Skimmer Domain in DNS Lookup || url,twitter.com/MBThreatIntel/status/1252338975265546242 2029992 || ET MALWARE JS Skimmer Domain in DNS Lookup || url,twitter.com/MBThreatIntel/status/1252338975265546242 2030104 || ET MALWARE Nazar Implant - Sending Ping Response to CnC || url,research.checkpoint.com/2020/nazar-spirits-of-the-past/ 2030197 || ET MALWARE eleethub .com Domain in DNS Lookup (eleethub .com) || url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet 2030207 || ET MALWARE BF Botnet CnC Checkin || md5,3c475b319959069053191e740822fcd6 2030438 || ET MALWARE Evil Google Drive Download || md5,f5ee4c578976587586202c15e98997ed 2030550 || ET MALWARE MASSLOGGER Client Data Exfil (POST) M2 || md5,79efca38c3230aaae9dd8bb11f15fe43 2030719 || ET MALWARE Mekotio HTTP Method (111SA) || url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/