Daily Ruleset Update Summary 2022/05/12

Daily Ruleset Update Summary

[***] Summary: [***]

28 new OPEN, 41 new PRO (28 + 13). Various HUNTING, Win32/Throwback,
W32/SysChecker and Miners.

There will be no rules released tomorrow, Friday, May 13, 2022 due
to a Proofpoint corporate holiday.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036566 - ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M1
(hunting.rules)
2036567 - ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M2
(hunting.rules)
2036568 - ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M3
(hunting.rules)
2036569 - ET HUNTING Base64 Encoded ipconfig In Server Response M1
(hunting.rules)
2036570 - ET HUNTING Base64 Encoded ipconfig In Server Response M2
(hunting.rules)
2036571 - ET HUNTING Base64 Encoded ipconfig In Server Response M3
(hunting.rules)
2036572 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M1 (hunting.rules)
2036573 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M2 (hunting.rules)
2036574 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M3 (hunting.rules)
2036575 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M4 (hunting.rules)
2036576 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M5 (hunting.rules)
2036577 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M6 (hunting.rules)
2036578 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M7 (hunting.rules)
2036579 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M8 (hunting.rules)
2036580 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
URI M9 (hunting.rules)
2036581 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M1 (hunting.rules)
2036582 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M2 (hunting.rules)
2036583 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M3 (hunting.rules)
2036584 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M4 (hunting.rules)
2036585 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M5 (hunting.rules)
2036586 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M6 (hunting.rules)
2036587 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M7 (hunting.rules)
2036588 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M8 (hunting.rules)
2036589 - ET HUNTING Double Base64 Encoded ipconfig sent via HTTP
Requset Body M9 (hunting.rules)
2036590 - ET MALWARE Win32/Throwback CnC Activity (POST) (malware.rules)
2036591 - ET MALWARE Win32/Throwback Server Response (Incoming)
(malware.rules)
2036592 - ET MALWARE Malicious ELF Activity (malware.rules)
2036593 - ET PHISHING Generic Cryptowallet Credential Phish
2022-05-12 (phishing.rules)

Pro:

2851642 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-12 1) (coinminer.rules)
2851643 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-12 2) (coinminer.rules)
2851644 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-12 3) (coinminer.rules)
2851645 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-12 4) (coinminer.rules)
2851646 - ETPRO MALWARE W32/SysChecker CnC Host Checkin M2 (malware.rules)
2851647 - ETPRO MALWARE W32/SysChecker CnC Host Checkin M3 (malware.rules)
2851648 - ETPRO MALWARE W32/SysChecker CnC Host Checkin M4 (malware.rules)
2851649 - ETPRO MALWARE Trojan.Downloader.JUFZ CnC Activity (malware.rules)
2851650 - ETPRO MALWARE Win32/SCVReady Loader CnC Activity M2 (malware.rules)
2851651 - ETPRO MALWARE Win32/SCVReady Loader - Logs (malware.rules)
2851652 - ETPRO MALWARE Win32/SCVReady Loader - SysInfo M1 (malware.rules)
2851653 - ETPRO MALWARE Win32/SCVReady Loader - SysInfo M2 (malware.rules)
2851654 - ETPRO MALWARE Win32/SCVReady Loader - Screenshot (malware.rules)

[///] Modified active rules: [///]

2028642 - ET MALWARE Possible Win32/Get2 Downloader Activity (malware.rules)
2846048 - ETPRO MALWARE W32/SysChecker CnC Host Checkin M1 (malware.rules)
2850296 - ETPRO MALWARE Observed Win32/SCVReady Loader User-Agent
(malware.rules)
2850297 - ETPRO MALWARE Win32/SCVReady Loader CnC Activity (malware.rules)
2850298 - ETPRO MALWARE Win32/SCVReady Loader Requesting Payload
(malware.rules)

Date:

Thursday, May 12, 2022

Summary title:

28 new OPEN, 41 new PRO (28 + 13). Various HUNTING, Win32/Throwback, W32/SysChecker and Miners.