[***]            Summary:            [***]

26 new Open, 38 new Pro (26 + 12). PowerShell in DNS TXT, Punto Loader, APT-C-35 DNS.

Thanks: Nathan Fowler

[+++]          Added rules:          [+++]

2026920 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded New-Object (V3LU9) in DNS TXT Reponse (current_events.rules)
2026921 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded New-Object (ctT2J) in DNS TXT Reponse (current_events.rules)
2026922 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded New-Object (dy1PYmp) in DNS TXT Reponse (current_events.rules)
2026923 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded New-Object (V3LU9iam) in DNS TXT Reponse (current_events.rules)
2026924 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded New-Object (XctT2JqZW) in DNS TXT Reponse (current_events.rules)
2026925 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded New-Object (dy1PYmplY3) in DNS TXT Reponse (current_events.rules)
2026926 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Start-Process (FydC1Qcm9) in DNS TXT Reponse (current_events.rules)
2026927 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJ) in DNS TXT Reponse (current_events.rules)
2026928 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2N) in DNS TXT Reponse (current_events.rules)
2026929 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJvY2) in DNS TXT Reponse (current_events.rules)
2026930 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Start-Process (GFydC1Qcm9jZX) in DNS TXT Reponse (current_events.rules)
2026931 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2Nlc3) in DNS TXT Reponse (current_events.rules)
2026932 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-WmiMethod (Zva2UtV21pTWV) in DNS TXT Reponse (current_events.rules)
2026933 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1) in DNS TXT Reponse (current_events.rules)
2026934 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse (current_events.rules)
2026935 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse (current_events.rules)
2026936 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-WmiMethod (nZva2UtV21pTWV0aG) in DNS TXT Reponse (current_events.rules)
2026937 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXRob2) in DNS TXT Reponse (current_events.rules)
2026938 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-Command (Zva2UtQ29) in DNS TXT Reponse (current_events.rules)
2026939 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21) in DNS TXT Reponse (current_events.rules)
2026940 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-Command (nZva2UtQ29tbW) in DNS TXT Reponse (current_events.rules)
2026941 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1) in DNS TXT Reponse (current_events.rules)
2026942 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21tYW) in DNS TXT Reponse (current_events.rules)
2026943 - ET CURRENT_EVENTS PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1hbm) in DNS TXT Reponse (current_events.rules)
2026944 - ET TROJAN Observed Malicious SSL Cert (LazarusGroup CnC) (trojan.rules)
2026945 - ET TROJAN Punto Loader Checkin (trojan.rules)
2834906 - ETPRO MOBILE_MALWARE AndroidOS.DroidJack Checkin (mobile_malware.rules)
2834907 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-02-19 1) (trojan.rules)
2834908 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-02-19 2) (trojan.rules)
2834909 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-02-19 3) (trojan.rules)
2834910 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-02-19 4) (trojan.rules)
2834911 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-02-19 5) (trojan.rules)
2834912 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-02-19 6) (trojan.rules)
2834913 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-02-19 7) (trojan.rules)
2834914 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2834915 - ETPRO TROJAN DonotGroup/APT-C-35 DNS Lookup (trojan.rules)
2834916 - ETPRO TROJAN Observed Malicious SSL Cert (DonotGroup/APT-C-35 CnC) (trojan.rules)
2834917 - ETPRO INFO Suspicious Registrar Nameservers in DNS Response (bitcoin-dns) (info.rules)

[///]     Modified active rules:     [///]

2834190 - ETPRO TROJAN SSL/TLS Certificate Observed (POWERTON) (trojan.rules)
2834830 - ETPRO CURRENT_EVENTS Successful Indodax Exchange Phish 2019-02-11 (current_events.rules)

Date: 
Monday, February 18, 2019 - 22:00