Mekotio

Jane0sint · August 24, 2023, 9:14am

Hi, I propose a rule for the Mekotio banking trojan, which began to appear frequently with this traffic in our sandbox in August.
Malware Reports - Online Malware Analysis Sandbox ← searching by tag

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Mekotio Banking Trojan TCP Request";flow: established, to_server;stream_size: client, <, 30; dsize: <29; content: "pimbsbd"; depth: 7;pcre: "/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\x0d\x0a/R"; classtype: trojan-activity;reference: md5,b6e0ad4963d054b697f307c09e7eb35f; reference: url,app.any.run/tasks/509940a9-d20a-4599-89e0-40b2810f485d;metadata: malware_family Mekotio, created_at 2023_08_24;sid: 1; rev: 1;)

Best regards, Jane (=^･ｪ･^=))ﾉ彡☆

jtaylor · August 24, 2023, 2:39pm

This is awesome! We will get this in for today, thanks Jane!

JT

jtaylor · August 24, 2023, 9:21pm

2047723 - ET MALWARE [ANY.RUN] Mekotio Banking Trojan TCP Request

Went out in todays release. I made some minor formatting changes but nothing major to match style.

Topic		Replies	Views
Weekly Community Review - August 28, 2023 Announcements	0	313	August 29, 2023
Hydrochasma (Fast Reverse Proxy) Rule Signatures	7	588	July 27, 2023
Gh0stRat Rule Signatures	3	626	December 28, 2023
PureLogs Stealer Rule Signatures	12	822	December 28, 2023
Kelios check in Rule Signatures	2	388	February 3, 2023

Mekotio

Related topics