[***]            Summary:            [***]

45 new Open, 63 new Pro (45 + 18). Various PowerShell Execution String Base64 Encoded, FinderBot, Cayosin Botnet, Remcos RAT, Various Phishing.

Thanks: Nathan Fowler

[+++]          Added rules:          [+++]

Open:

2026876 - ET TROJAN Cayosin Botnet User-Agent Observed M1 (trojan.rules)
2026877 - ET TROJAN Cayosin Botnet User-Agent Observed M2 (trojan.rules)
2026920 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9) in DNS TXT Reponse (attack_response.rules)
2026921 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (ctT2J) in DNS TXT Reponse (attack_response.rules)
2026922 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmp) in DNS TXT Reponse (attack_response.rules)
2026923 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9iam) in DNS TXT Reponse (attack_response.rules)
2026924 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (XctT2JqZW) in DNS TXT Reponse (attack_response.rules)
2026925 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmplY3) in DNS TXT Reponse (attack_response.rules)
2026926 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (FydC1Qcm9) in DNS TXT Reponse (attack_response.rules)
2026927 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJ) in DNS TXT Reponse (attack_response.rules)
2026928 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2N) in DNS TXT Reponse (attack_response.rules)
2026929 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJvY2) in DNS TXT Reponse (attack_response.rules)
2026930 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (GFydC1Qcm9jZX) in DNS TXT Reponse (attack_response.rules)
2026931 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2Nlc3) in DNS TXT Reponse (attack_response.rules)
2026932 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (Zva2UtV21pTWV) in DNS TXT Reponse (attack_response.rules)
2026933 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1) in DNS TXT Reponse (attack_response.rules)
2026934 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse (attack_response.rules)
2026935 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse (attack_response.rules)
2026936 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (nZva2UtV21pTWV0aG) in DNS TXT Reponse (attack_response.rules)
2026937 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXRob2) in DNS TXT Reponse (attack_response.rules)
2026938 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (Zva2UtQ29) in DNS TXT Reponse (attack_response.rules)
2026939 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21) in DNS TXT Reponse (attack_response.rules)
2026940 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (nZva2UtQ29tbW) in DNS TXT Reponse (attack_response.rules)
2026941 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1) in DNS TXT Reponse (attack_response.rules)
2026942 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21tYW) in DNS TXT Reponse (attack_response.rules)
2026943 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1hbm) in DNS TXT Reponse (attack_response.rules)
2027027 - ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027028 - ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027029 - ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027030 - ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027031 - ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027032 - ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027033 - ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027034 - ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027035 - ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027036 - ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027037 - ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027038 - ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027039 - ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027040 - ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027041 - ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027042 - ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027043 - ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027044 - ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse (attack_response.rules)
2027045 - ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite) (user_agents.rules)

Pro:

2835157 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-03-05 1) (trojan.rules)
2835158 - ETPRO TROJAN FinderBot User-Agent (iii/) (trojan.rules)
2835159 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2835160 - ETPRO TROJAN Observed Malicious SSL Cert (FinderBot DL) (trojan.rules)
2835161 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2019-03-05) (current_events.rules)
2835162 - ETPRO CURRENT_EVENTS Successful Booking.com Phish 2019-03-05 (current_events.rules)
2835163 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-03-05 (current_events.rules)
2835164 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-03-05 (current_events.rules)
2835165 - ETPRO CURRENT_EVENTS Successful Paypal Bank Phish 2019-03-05 (current_events.rules)
2835166 - ETPRO CURRENT_EVENTS Successful Paypal VBV Phish 2019-03-05 (current_events.rules)
2835167 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-03-05 (current_events.rules)
2835168 - ETPRO CURRENT_EVENTS Successful Ameli FR Phish 2019-03-05 (current_events.rules)
2835169 - ETPRO CURRENT_EVENTS Successful Apple Phish 2019-03-05 (current_events.rules)
2835170 - ETPRO CURRENT_EVENTS Successful CapitalOne Phish 2019-03-05 (current_events.rules)
2835171 - ETPRO TROJAN Suspicious Inbound Wide String XML with RAT-like Elements (trojan.rules)
2835172 - ETPRO TROJAN Win32/Gupsip Variant CnC Checkin (trojan.rules)
2835173 - ETPRO TROJAN Win32/Remcos RAT Checkin 95 (trojan.rules)
2835174 - ETPRO TROJAN Win32/Remcos RAT Checkin 96 (trojan.rules)

[///]     Modified active rules:     [///]

2026827 - ET TROJAN Observed Malicious SSL Cert (DonotGroup/Patchwork CnC) (trojan.rules)
2026992 - ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1 (info.rules)
2835090 - ETPRO TROJAN Observed Malicious SSL Cert (DonotGroup/Patchwork CnC) (trojan.rules)
2835140 - ETPRO TROJAN FinderBot Cookie Exfil (trojan.rules)
2835141 - ETPRO TROJAN FinderBot Login Exfil (trojan.rules)
2835142 - ETPRO TROJAN FinderBot CnC Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

2021607 - ET CURRENT_EVENTS Potential W32/Dridex Alphanumeric Download Pattern (current_events.rules)

Date: 
Monday, March 4, 2019 - 22:00