{
	"id": "ab930197-2ed0-4e6e-8722-dc13d30bdd0c",
	"created_at": "2026-04-06T00:21:57.543237Z",
	"updated_at": "2026-04-10T13:11:30.27346Z",
	"deleted_at": null,
	"sha1_hash": "111e977230b762cc862064e334b00668340691bf",
	"title": "Snort: Multiple signatures 032",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61294,
	"plain_text": "Snort: Multiple signatures 032\r\nBy Y M via Snort-sigs\r\nArchived: 2026-04-05 16:30:35 UTC\r\nSnort mailing list archives\r\nFrom: Y M via Snort-sigs \u003csnort-sigs () lists snort org\u003e\r\nDate: Fri, 20 Sep 2019 11:12:03 +0000\r\nHello,\r\nHere are some new rules with Yara/ClamAV signatures as well as PCAPs available for the majority of th\r\nThank you.\r\nYM\r\n# --------------------\r\n# Title: .NET binary AspireCrypt\r\n# Reference: Research\r\n# Tests: pcap\r\n# Detection:\r\n# - Yara: INDICATOR_Excutable_Packed_AspireCrypt\r\n# - ClamAV: INDICATOR_Excutable.Packed.AspireCrypt\r\n# Hashes:\r\n# - 176c6d49d475cfcf0723824e0b401eff33d1e2f55a07bddbdc7a47755f7c9bd1 (AgentTesla)\r\n# - 3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de (Nanocore)\r\n# - 4b9fdee9692066142596e6164dfed4ba1d860f34949fcbd2ec78471dbd05cbce (Remcos)\r\n# - 9e4035b96ff9dec31125d57a0b845cbe4fbaf057565583637601609c26a62976 (AgentTesla)\r\n# Notes: NA\r\nalert tcp $EXTERNAL_NET $FILE_DATA_PORTS -\u003e $HOME_NET any (msg:\"INDICATOR-OBFUSCATION AspireCrypt obf\r\nbinary download attempt\"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:\"p\r\nAspireCrypt\"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service\r\npop3; classtype:misc-activity;; sid:8000694; rev:1;)\r\nalert tcp $EXTERNAL_NET any -\u003e $SMTP_SERVERS 25 (msg:\"INDICATOR-OBFUSCATION AspireCrypt obfuscated .N\r\nattempt\"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:\"protected by Aspi\r\nfast_pattern:only; metadata:ruleset community, service smtp; classtype:misc-activity; sid:8000695; re\r\nhttps://seclists.org/snort/2019/q3/343\r\nPage 1 of 5\n\n# --------------------\r\n# Title: Laturo Stealer\r\n# Reference: Research\r\n# Tests: pcap\r\n# Detection:\r\n# - Yara: MALWARE_Win_Trojan_Laturo\r\n# - ClamAV: MALWARE_Win.Trojan.Laturo\r\n# Hashes: ab9d492b71cb61129034b94296ae0e1bec9d2d12477c236e51ba6be372c33c15\r\n# Notes:\r\n# - Coincides with AveMaria.\r\n# - OS choices also include \"unknown\" but was not considered in the second signature.\r\n# - First signature maybe ignored since the follow up traffic also contains \"Hwid\".\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"MALWARE-CNC Win.Trojan.Laturo stealer init\r\nconnection\"; flow:to_server,established; content:\"Hwid:\"; fast_pattern:only; http_header; content:\".p\r\ncontent:!\"Connection\"; http_header; metadata:ruleset community, service http; classtype:trojan-activi\r\nrev:1;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"MALWARE-CNC Win.Trojan.Laturo stealer init\r\nconnection\"; flow:to_server,established; content:\"Os: WIN_\"; fast_pattern:only; http_header; content\r\nhttp_header; content:\"Special:\"; http_header; content:\"Arch:\"; http_header; metadata:ruleset communit\r\nclasstype:trojan-activity; sid:8000697; rev:1;)\r\n# --------------------\r\n# Title: AsyncRAT\r\n# Reference: Research\r\n# Tests: pcap\r\n# Detection:\r\n# - Yara:\r\n# 1. MALWARE_Win_Trojan_AsyncRAT\r\n# 2. INDICATOR_Excutable_Packed_Spices\r\n# - ClamAV:\r\n# 1. MALWARE_Win.Trojan.AsyncRAT\r\n# 2. INDICATOR_Excutable.Packed.Spices\r\n# - SSL/TLS Fingerprints:\r\n# - JA3:\r\n# 1. 769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,65281-10-11,23-24,0 --\u003e 6734f37431670b3ab\r\n# 2. 769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,10-11-65281,23-24,0 --\u003e 4c5c120f2e0b1bc5c\r\n# - Joy:\r\n# 1. (0301)(002f00350005000ac013c014c009c00a0032003800130004)((ff01)(000a0006000400170018)(000b0\r\n# 2. (0301)(002f00350005000ac013c014c009c00a0032003800130004)((0000)(000a0006000400170018)(000b0\r\n# Hashes:\r\n# - Previous Sample: ab9d492b71cb61129034b94296ae0e1bec9d2d12477c236e51ba6be372c33c15\r\n# - Recent Sample: 2c24b6cdb05c0aceb0564f6afbfc8b22e3d6343ed3662578c0b54e01474cec57\r\n# Notes:\r\n# - The rule was submitted on June 04, 2019 (Multiple signatures 029) and modified, triggering on\r\n# the old and new sample traffic.\r\nhttps://seclists.org/snort/2019/q3/343\r\nPage 2 of 5\n\n# - The recent sample was dropped from Discord CDN:\r\n# 1. Tiny executable generates .CS file containing the code responsible for downloading from Disco\r\n# 2. Tiny executable compiles and executes the compiled .CS code DLL.\r\n# 3. Compiled .CS code downloads .TXT file from Discord CDN containing a base64-encoded executable\r\n# decodes it, and then injects it.\r\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"MALWARE-CNC Win.Trojan.AsyncRAT variant SSL certif\r\nflow:to_client,established; content:\"|55 04 03 0C|\"; content:\"AsyncRAT Server\"; distance:1; fast_patt\r\nmetadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000660; rev:2;)\r\nalert tcp $EXTERNAL_NET $FILE_DATA_PORTS -\u003e $HOME_NET any (msg:\"INDICATOR-OBFUSCATION Spices.Net obfu\r\ndownload attempt\"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:\"protected\r\nSpices.Net Obfuscator\"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http\r\nservice pop3; classtype:misc-activity;; sid:8000698; rev:1;)\r\nalert tcp $EXTERNAL_NET any -\u003e $SMTP_SERVERS 25 (msg:\"INDICATOR-OBFUSCATION Spices.Net obfuscated .NE\r\nattempt\"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:\"protected by 9Rays\r\nObfuscator\"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:misc-activity; si\r\n# --------------------\r\n# Title: HawkEye variant\r\n# Reference: Research\r\n# Tests: pcaps\r\n# Yara: NA\r\n# ClamAV: NA\r\n# Hashes: e4b4a93dc889952a88ac8b37561f5160ce341586cd582623abc493978dbd55a0\r\n# Notes: NA\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET [25,587] (msg:\"MALWARE-CNC Win.Trojan.HawkEye variant outbou\r\nattempt\"; flow:to_server,established; content:\"Subject: Logger - Server Ran\"; fast_pattern:only; meta\r\ncommunity, service smtp; classtype:trojan-activity; sid:8000710; rev:1;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET [25,587] (msg:\"MALWARE-CNC Win.Trojan.HawkEye variant outbou\r\nattempt\"; flow:to_server,established; content:\"Subject: Logger|7C|\"; fast_pattern:only; metadata:rule\r\nservice smtp; classtype:trojan-activity; sid:8000711; rev:1;)\r\n# --------------------\r\n# Title: macOS MaxOfferDeal PUA\r\n# Reference: Research\r\n# Tests: pcaps\r\n# Yara: MALWARE_Osx_Adware_MaxOfferDeal\r\n# ClamAV: MALWARE_Osx.Adware.MaxOfferDeal\r\n# Hashes:\r\n# - 3066e6ea814592462257d4f5a1af431db40e6f06503e6ca2b3ea1d6b4ebff7ae\r\n# - 4a48fd4d27a559f5c90cc6a3fb814a34a82b8ea4f7a2aca3a2d7220d381c6d83\r\n# - f73a4de505c1f3689e21ce4d15e83c07ff0acd76c7ca8961bda68604cf4fc39c\r\n# Notes: VideoPlayer behaves differently when FireFox is installed\r\nhttps://seclists.org/snort/2019/q3/343\r\nPage 3 of 5\n\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"MALWARE-CNC Osx.Adware.MaxOfferDearl outbo\r\nflow:to_server,established; content:\"/lion-update\"; fast_pattern:only; http_uri; urilen:12; metadata\r\nservice http; classtype:trojan-activity; sid:8000712; rev:1;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"MALWARE-CNC Osx.Adware.MaxOfferDearl outbo\r\nflow:to_server,established; content:\"/squirrel-log\"; fast_pattern:only; http_uri; urilen:13; metadata\r\ncommunity, service http; classtype:trojan-activity; sid:8000713; rev:1;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"MALWARE-CNC Osx.Adware.MaxOfferDearl outbo\r\nflow:to_server,established; content:\"/kitten-update\"; fast_pattern:only; http_uri; urilen:14; metadat\r\ncommunity, service http; classtype:trojan-activity; sid:8000714; rev:1;)\r\n# --------------------\r\n# Title: Njrat/Bladabindi variant\r\n# Reference: Research\r\n# Tests: pcaps\r\n# Yara: MALWARE_Win_Trojan_Njrat\r\n# ClamAV: MALWARE_Win.Trojan.Njrat\r\n# Hashes:\r\n# - 2be873726dedb8f3a26d8fb61c513c95354d9a9b47f81934670497fcdbe4e0da (AutoIt)\r\n# - ea262b6675d2a05a8182f7d0cf63e6cb22e76457e01e0a2319086514315e24eb (AutoIt)\r\n# - bd92dd8a37cfbf1496344e9de97039579192e1dc4b945b11e3ebc6f38587bc1f (.NET dump)\r\n# Notes: Separator is 20201\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"MALWARE-CNC Win.Trojan.Njrat/Bladabindi variant ou\r\nflow:to_server,established; content:\"|00|ll20201\"; offset:3; depth:8; fast_pattern; metadata:ruleset\r\nclasstype:trojan-activity; sid:8000715; rev:1;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"MALWARE-CNC Win.Trojan.Njrat/Bladabindi variant ou\r\nflow:to_server,established; content:\"|00|inf20201\"; offset:3; depth:9; fast_pattern; metadata:ruleset\r\nclasstype:trojan-activity; sid:8000716; rev:1;)\r\n_______________________________________________\r\nSnort-sigs mailing list\r\nSnort-sigs () lists snort org\r\nhttps://lists.snort.org/mailman/listinfo/snort-sigs\r\nPlease visit http://blog.snort.org for the latest news about Snort!\r\nPlease follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette\r\nVisit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch\r\nhref=\" https://snort.org/downloads/#rule-downloads\";\u003eemerging threats\u003c/a\u003e!\r\nCurrent thread:\r\nhttps://seclists.org/snort/2019/q3/343\r\nPage 4 of 5\n\nMultiple signatures 032 Y M via Snort-sigs (Sep 20)\r\nSource: https://seclists.org/snort/2019/q3/343\r\nhttps://seclists.org/snort/2019/q3/343\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://seclists.org/snort/2019/q3/343"
	],
	"report_names": [
		"343"
	],
	"threat_actors": [],
	"ts_created_at": 1775434917,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/111e977230b762cc862064e334b00668340691bf.pdf",
		"text": "https://archive.orkl.eu/111e977230b762cc862064e334b00668340691bf.txt",
		"img": "https://archive.orkl.eu/111e977230b762cc862064e334b00668340691bf.jpg"
	}
}