Hi guys!
Today there is a joint report from @Gi7w0rm and @tosscoinwitcher
I propose a rule for content from the client:
alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] DynamicRAT ";flow: established, to_server;content: "|00 00 00 00 04 01 00|"; depth:7;content: "|01 00 00 00 02 05 02 01 00|"; distance:1; within:9;content: "|01 00|"; distance:256; within:2; classtype: command-and-control;reference:md5,794aad15e92d121225ac8f98f7173658;reference:url,app.any.run/tasks/211d3453-d909-47e4-96d4-c27cfb5398c4;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family DynamicRAT, created_at 2023_05_29;sid: 8000121; rev: 2;)
Despite the fact that the traffic is encrypted, we can determine the initial stream by service bytes:
Analysis My2021-22-W2-1040-1099-R.PDF.jar (MD5: 04BACA1B1BA093A27F498CEE89C4378C) Malicious activity - Interactive analysis ANY.RUN
Analysis 178.jar (MD5: A7EEAB7E2E90D0373EBFB15243BFF81A) Malicious activity - Interactive analysis ANY.RUN
Analysis http://lille.russia-games.eu/download/tweaker-client.jar Malicious activity - Interactive analysis ANY.RUN
41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919 | Triage
83cf9fb418ead6b97f8bcaea08a824ab312c47471cc2134b15aeb977fd7671a1 | Triage
e256710a69172b77abe095ad5dc4b7b900f306da16c8a34f994b51d503037c68 | Triage
Best regards, Jane.