API tools faq
paste
Advertisement
James_inthe_box

Mailerbot

James_inthe_box
Dec 18th, 2019
16,825
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.17 KB | None | 0 0
raw download clone embed print report
  1. yara sig:
  2.  
  3. rule Mailerbot_bin
  4. {
  5. meta:
  6. description = "Mailerbot"
  7. author = "James_inthe_box"
  8. reference = "868995c7bd95bb0f7c1e1123130abc72388cbe3fccdc57120f6b90f54ffd04fe"
  9. date = "2019/12"
  10. maltype = "Mailer"
  11.  
  12. strings:
  13. $string1 = "spam" wide ascii
  14. $string2 = "banned" wide ascii
  15. $string3 = "blacklist" wide ascii
  16. $string4 = "blocked" wide ascii
  17. $string5 = "listed as poor" wide ascii
  18. $string6 = "poor reputation" wide ascii
  19. $string7 = "ip is filtered" wide ascii
  20. $string8 = "rbl restriction" wide ascii
  21. $string9 = "in an rbl" wide ascii
  22. $string10 = "from that country" wide ascii
  23. $string11 = "too many connections" wide ascii
  24. $string12 = "too many concurrent" wide ascii
  25. $string13 = "try later" wide ascii
  26. $string14 = "server" wide ascii
  27. $string15 = "relay" wide ascii
  28. $string16 = "this connect" wide ascii
  29. $string17 = "ip is rejected" wide ascii
  30.  
  31. condition:
  32. uint16(0) == 0x5A4D and all of ($string*) and filesize < 800KB
  33. }
  34.  
  35. rule Mailerbot_mem
  36. {
  37. meta:
  38. description = "Mailerbot"
  39. author = "James_inthe_box"
  40. reference = "868995c7bd95bb0f7c1e1123130abc72388cbe3fccdc57120f6b90f54ffd04fe"
  41. date = "2019/12"
  42. maltype = "Mailer"
  43.  
  44. strings:
  45. $string1 = "spam" wide ascii
  46. $string2 = "banned" wide ascii
  47. $string3 = "blacklist" wide ascii
  48. $string4 = "blocked" wide ascii
  49. $string5 = "listed as poor" wide ascii
  50. $string6 = "poor reputation" wide ascii
  51. $string7 = "ip is filtered" wide ascii
  52. $string8 = "rbl restriction" wide ascii
  53. $string9 = "in an rbl" wide ascii
  54. $string10 = "from that country" wide ascii
  55. $string11 = "too many connections" wide ascii
  56. $string12 = "too many concurrent" wide ascii
  57. $string13 = "try later" wide ascii
  58. $string14 = "server" wide ascii
  59. $string15 = "relay" wide ascii
  60. $string16 = "this connect" wide ascii
  61. $string17 = "ip is rejected" wide ascii
  62.  
  63. condition:
  64. all of ($string*) and filesize > 800KB
  65. }
  66.  
  67. snort/suricata rule:
  68.  
  69. alert tcp any any -> any $HTTP_PORTS (msg:"MailerBot no job Checkin Detected"; flow:to_server,established; content:"POST"; http_method; content:"status=0"; fast_pattern; http_client_body; within:15; content:"Content-Type|3a 20|application/"; reference:md5,56adac876acc29dd49f20e58c902c156; classtype:trojan-activity; sid:20166309; rev:1; metadata:created_at 2019_12_18;
  70.  
  71. alert tcp any any -> any $HTTP_PORTS (msg:"MailerBot job Checkin Detected"; flow:to_server,established; content:"POST"; http_method; content:"status="; fast_pattern; http_client_body; within:15; content:"&task="; http_client_body; content:"&set="; http_client_body; content:"&start="; http_client_body; content:"&count="; http_client_body; content:"&ok="; http_client_body; content:"&failed="; http_client_body; content:"Content-Type|3a 20|application/"; reference:md5,56adac876acc29dd49f20e58c902c156; classtype:trojan-activity; sid:20166310; rev:1; metadata:created_at 2019_12_18;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!