Malware ID hunt

1. Oct12:
2. f0b2b5e48230a5ad021890477dba75fd4c781121025bb3bf1a95cb5e948777f0
3. HOST1:names34.top
4. HOST2:dircon88.bit
5. DNS1:5.132.191.104
6. DNS2:ns1.vic.au.dns.opennic.glue
7. DNS3:ns2.vic.au.dns.opennic.glue
8.  
9. C:\isync\\Release\Code.pdb
10.  
11. Nov24
12. 9b6746d5e2bb47d71b7dd1fb6e2617e295168d55dc481c59023c3070f4670171
13. HOST1:109.234.39.139
14. HOST2:109.234.39.139
15. DNS1:5.132.191.104
16. DNS2:ns1.vic.au.dns.opennic.glue
17. DNS3:ns2.vic.au.dns.opennic.glue
18.  
19. C:\uni\Release\purchasing.pdb
20.  
21. snort/suricata sig:
22. alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"TROJAN Unknown XPMI Initial Checkin"; flow:established,to_server; dsize:<5; content:"|43 00 3a 00|"; depth:4; reference:md5,3a92d94b1ff723f07c3c1e15576734f2; reference:md5,2bdc299b198127fe4a689c299ee7ecfa; classtype:trojan-activity; sid:20166270; rev:1; metadata:created_at 2018_11_24;)
23.  
24. yara rule:
25. rule unknown_xpmi
26. {
27. meta:
28. author = " James_inthe_box"
29. date = "2018/11"
30. maltype = "Unkown_XPMI"
31.  
32. strings:
33. $string1 = "HOST1:"
34. $string2 = "HOST2:"
35. $string3 = "DNS1:"
36. $string4 = "DNS2:"
37. $string5 = "DNS3:"
38.  
39. condition:
40. 3 of ($string*)
41. }