Ruleset Update Summary - 2024/10/04 - v10714

Ruleset Updates
1

Summary:

54 new OPEN, 56 new PRO (54 + 2)

Thanks @malwrhunterteam

Added rules:

Open:

  • 2052024 - ET RETIRED Possible UPSTYLE Command Output Retrieval Attempt (retired.rules)
  • 2052270 - ET RETIRED Possible LINE RUNNER Backdoor Connection Attempt (retired.rules)
  • 2056446 - ET EXPLOIT glibc iconv Abitrary File Read RCE (CVE-2024-2961) (exploit.rules)
  • 2056447 - ET INFO Temporary File Hosting Domain in DNS Lookup (tmpfiles .org) (info.rules)
  • 2056448 - ET INFO Observed Temporary File Hosting Domain (tmpfiles .org in TLS SNI) (info.rules)
  • 2056449 - ET INFO DYNAMIC_DNS Query to a * .is-very .fun Domain (info.rules)
  • 2056450 - ET INFO DYNAMIC_DNS HTTP Request to a * .is-very .fun Domain (info.rules)
  • 2056451 - ET INFO DYNAMIC_DNS Query to a * .tamarindo .net Domain (info.rules)
  • 2056452 - ET INFO DYNAMIC_DNS HTTP Request to a * .tamarindo .net Domain (info.rules)
  • 2056453 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (availabkelk .store) (malware.rules)
  • 2056454 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (availabkelk .store in TLS SNI) (malware.rules)
  • 2056455 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (giffrooypwm .shop) (malware.rules)
  • 2056456 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (giffrooypwm .shop in TLS SNI) (malware.rules)
  • 2056457 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mosquitju .site) (malware.rules)
  • 2056458 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mosquitju .site in TLS SNI) (malware.rules)
  • 2056459 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (newresource .shop) (malware.rules)
  • 2056460 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (newresource .shop in TLS SNI) (malware.rules)
  • 2056461 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (privilegedkoq .shop) (malware.rules)
  • 2056462 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (privilegedkoq .shop in TLS SNI) (malware.rules)
  • 2056463 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (raciimoppero .shop) (malware.rules)
  • 2056464 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (raciimoppero .shop in TLS SNI) (malware.rules)
  • 2056465 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thighfeingjywk .shop) (malware.rules)
  • 2056466 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thighfeingjywk .shop in TLS SNI) (malware.rules)
  • 2056467 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (truthevideow .store) (malware.rules)
  • 2056468 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (truthevideow .store in TLS SNI) (malware.rules)
  • 2056469 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weakkysemwmns .shop) (malware.rules)
  • 2056470 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weakkysemwmns .shop in TLS SNI) (malware.rules)
  • 2056471 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) (malware.rules)
  • 2056472 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clearancek .site in TLS SNI) (malware.rules)
  • 2056473 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) (malware.rules)
  • 2056474 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (licendfilteo .site in TLS SNI) (malware.rules)
  • 2056475 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) (malware.rules)
  • 2056476 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (spirittunek .store in TLS SNI) (malware.rules)
  • 2056477 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) (malware.rules)
  • 2056478 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bathdoomgaz .store in TLS SNI) (malware.rules)
  • 2056479 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) (malware.rules)
  • 2056480 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (studennotediw .store in TLS SNI) (malware.rules)
  • 2056481 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) (malware.rules)
  • 2056482 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dissapoiznw .store in TLS SNI) (malware.rules)
  • 2056483 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) (malware.rules)
  • 2056484 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eaglepawnoy .store in TLS SNI) (malware.rules)
  • 2056485 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) (malware.rules)
  • 2056486 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mobbipenju .store in TLS SNI) (malware.rules)
  • 2056487 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixturehari .store) (malware.rules)
  • 2056488 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mixturehari .store in TLS SNI) (malware.rules)
  • 2056489 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (chartzend .com) (exploit_kit.rules)
  • 2056490 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (chartzend .com) (exploit_kit.rules)
  • 2056491 - ET MALWARE Win32/Knitting Industry Co. CnC Activity (GET) (malware.rules)
  • 2056492 - ET MALWARE Observed DNS Query to Knitting Industry Co. Domain (flashffl .com) (malware.rules)
  • 2056493 - ET MALWARE Observed Knitting Industry Co Domain (flashffl .com in TLS SNI) (malware.rules)
  • 2056494 - ET HUNTING PHP Filter Chains in HTTP URI (hunting.rules)
  • 2056495 - ET HUNTING PHP Filter Chains in HTTP Body (hunting.rules)
  • 2056496 - ET HUNTING URL Encoded PHP Filter Chains in HTTP URI (hunting.rules)
  • 2056497 - ET HUNTING URL Encoded PHP Filter Chains in HTTP Body (hunting.rules)

Pro:

  • 2858542 - ETPRO MALWARE Win32/Lumma C2 via Steam profile (malware.rules)
  • 2858543 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to VexTrio (a88fa) (exploit_kit.rules)

Disabled and modified rules:

  • 2049810 - ET INFO DNS Query to Vultr Cloud file sharing domain (vultrobjects .com) (info.rules)
  • 2052073 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (showgyella .quadrantbd .com) (malware.rules)
  • 2052074 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (smartclouds .gelatosg .com) (malware.rules)
  • 2052075 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (cloudflaread .quadrantbd .com) (malware.rules)
  • 2052076 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (suitsvm003 .rchitecture .org) (malware.rules)
  • 2052077 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (cloudsrm .gelatosg .com) (malware.rules)
  • 2052078 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (rscvmogt .taishanlaw .com) (malware.rules)
  • 2052079 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (showgyella .quadrantbd .com) in TLS SNI (malware.rules)
  • 2052080 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (smartclouds .gelatosg .com) in TLS SNI (malware.rules)
  • 2052081 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (freeprous .bakhell .com) in TLS SNI (malware.rules)
  • 2052082 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (cloudflaread .quadrantbd .com) in TLS SNI (malware.rules)
  • 2052083 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (suitsvm003 .rchitecture .org) in TLS SNI (malware.rules)
  • 2052084 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (cloudsrm .gelatosg .com) in TLS SNI (malware.rules)
  • 2052085 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (rscvmogt .taishanlaw .com) in TLS SNI (malware.rules)
  • 2052398 - ET MALWARE Malvertising/Nitrogen Loader Domain in DNS Lookup (advanced-ip-scan .org) (malware.rules)
  • 2052399 - ET MALWARE Malvertising/Nitrogen Loader Domain in DNS Lookup (giaoanso .com) (malware.rules)
  • 2052400 - ET MALWARE Malvertising/Nitrogen Loader Domain in DNS Lookup (saltysour .com) (malware.rules)
  • 2052401 - ET MALWARE Malvertising/Nitrogen Loader Domain (advanced-ip-scan .org) in TLS SNI (malware.rules)
  • 2052402 - ET MALWARE Malvertising/Nitrogen Loader Domain (giaoanso .com) in TLS SNI (malware.rules)
  • 2052403 - ET MALWARE Malvertising/Nitrogen Loader Domain (saltysour .com) in TLS SNI (malware.rules)
  • 2052528 - ET PHISHING Microsoft Phishing Domain in DNS Lookup (iapparel .top) (phishing.rules)
  • 2052529 - ET PHISHING Observed Microsoft Phishing Domain (iapparel .top) in TLS SNI (phishing.rules)
  • 2052560 - ET MALWARE Trkcdn Domain in DNS Lookup (simitor .com) (malware.rules)
  • 2052561 - ET MALWARE Trkcdn Domain in DNS Lookup (vitrfar .info) (malware.rules)
  • 2052562 - ET MALWARE Trkcdn Domain in DNS Lookup (pordasa .info) (malware.rules)
  • 2052563 - ET MALWARE Trkcdn Domain in DNS Lookup (vibnere .com) (malware.rules)
  • 2052564 - ET MALWARE Trkcdn Domain in DNS Lookup (edrefo .com) (malware.rules)
  • 2052565 - ET MALWARE Trkcdn Domain in DNS Lookup (frotel .info) (malware.rules)
  • 2052566 - ET MALWARE SpamTracker Domain in DNS Lookup (epyujbhfhbs35j .com) (malware.rules)
  • 2052567 - ET MALWARE SpamTracker Domain in DNS Lookup (cgb488dixfxjw7 .com) (malware.rules)
  • 2052568 - ET MALWARE SpamTracker Domain in DNS Lookup (8egub9e7s6cz7n .com) (malware.rules)
  • 2052569 - ET MALWARE SpamTracker Domain in DNS Lookup (hjmpfsamfkj5m5 .com) (malware.rules)
  • 2052570 - ET MALWARE SpamTracker Domain in DNS Lookup (uxjxfg2ui8k5zk .com) (malware.rules)
  • 2052645 - ET MALWARE TA417 Related Domain in DNS Lookup (operatida .com) (malware.rules)
  • 2052646 - ET MALWARE TA417 Related Domain in DNS Lookup (gelatosg .com) (malware.rules)
  • 2052647 - ET MALWARE TA417 Related Domain in DNS Lookup (lucashnancy .com) (malware.rules)
  • 2052648 - ET MALWARE TA417 Related Domain in DNS Lookup (randaln .com) (malware.rules)
  • 2052649 - ET MALWARE TA417 Related Domain in DNS Lookup (rchitecture .org) (malware.rules)
  • 2052650 - ET MALWARE TA417 Related Domain in DNS Lookup (bakhell .com) (malware.rules)
  • 2052651 - ET MALWARE TA417 Related Domain in DNS Lookup (nestnewhome .com) (malware.rules)
  • 2052652 - ET MALWARE TA417 Related Domain in DNS Lookup (gayionsd .com) (malware.rules)
  • 2052653 - ET MALWARE TA417 Related Domain in DNS Lookup (quadrantbd .com) (malware.rules)
  • 2052654 - ET MALWARE TA417 Related Domain in DNS Lookup (dailteeau .com) (malware.rules)
  • 2052655 - ET MALWARE TA417 Related Domain in DNS Lookup (availitond .com) (malware.rules)
  • 2052656 - ET MALWARE TA417 Related Domain in DNS Lookup (centralizebd .com) (malware.rules)
  • 2052657 - ET MALWARE TA417 Related Domain in DNS Lookup (ccarden .com) (malware.rules)
  • 2052658 - ET MALWARE TA417 Related Domain in DNS Lookup (taishanlaw .com) (malware.rules)
  • 2052659 - ET MALWARE Observed TA417 Domain (operatida .com) in TLS SNI (malware.rules)
  • 2052660 - ET MALWARE Observed TA417 Domain (gelatosg .com) in TLS SNI (malware.rules)
  • 2052661 - ET MALWARE Observed TA417 Domain (lucashnancy .com) in TLS SNI (malware.rules)
  • 2052662 - ET MALWARE Observed TA417 Domain (randaln .com) in TLS SNI (malware.rules)
  • 2052663 - ET MALWARE Observed TA417 Domain (rchitecture .org) in TLS SNI (malware.rules)
  • 2052664 - ET MALWARE Observed TA417 Domain (bakhell .com) in TLS SNI (malware.rules)
  • 2052665 - ET MALWARE Observed TA417 Domain (nestnewhome .com) in TLS SNI (malware.rules)
  • 2052666 - ET MALWARE Observed TA417 Domain (gayionsd .com) in TLS SNI (malware.rules)
  • 2052667 - ET MALWARE Observed TA417 Domain (quadrantbd .com) in TLS SNI (malware.rules)
  • 2052668 - ET MALWARE Observed TA417 Domain (dailteeau .com) in TLS SNI (malware.rules)
  • 2052669 - ET MALWARE Observed TA417 Domain (availitond .com) in TLS SNI (malware.rules)
  • 2052670 - ET MALWARE Observed TA417 Domain (centralizebd .com) in TLS SNI (malware.rules)
  • 2052671 - ET MALWARE Observed TA417 Domain (ccarden .com) in TLS SNI (malware.rules)
  • 2052672 - ET MALWARE Observed TA417 Domain (taishanlaw .com) in TLS SNI (malware.rules)
  • 2052865 - ET MALWARE Dora RAT CnC Domain in DNS Lookup (kmobile .bestunif .com) (malware.rules)
  • 2052866 - ET MALWARE Observed Dora RAT Domain (kmobile .bestunif .com) in TLS SNI (malware.rules)
  • 2053032 - ET MALWARE Allasenha/CarnavalHeist Related Domain (nfe-digital .online) in DNS Lookup (malware.rules)
  • 2053033 - ET MALWARE Allasenha/CarnavalHeist Related Domain (nfe-digital .site) in DNS Lookup (malware.rules)
  • 2053034 - ET MALWARE Allasenha/CarnavalHeist Related Domain (nfe-digital .top) in DNS Lookup (malware.rules)
  • 2053035 - ET MALWARE Allasenha/CarnavalHeist Related Domain (nfe-digital .digital) in DNS Lookup (malware.rules)
  • 2053036 - ET MALWARE Observed Allasenha/CarnavalHeist RAT Related Domain (nfe-digital .online) in TLS SNI (malware.rules)
  • 2053037 - ET MALWARE Observed Allasenha/CarnavalHeist RAT Related Domain (nfe-digital .site) in TLS SNI (malware.rules)
  • 2053038 - ET MALWARE Observed Allasenha/CarnavalHeist RAT Related Domain (nfe-digital .top) in TLS SNI (malware.rules)
  • 2053039 - ET MALWARE Observed Allasenha/CarnavalHeist RAT Related Domain (nfe-digital .digital) in TLS SNI (malware.rules)
  • 2053201 - ET MALWARE Allasenha/CarnavalHeist Related Domain (adobe-acrobat-visualizer .brazilsouth .cloudapp .azure .com) in DNS Lookup (malware.rules)
  • 2053202 - ET MALWARE Allasenha/CarnavalHeist Related Domain (nfe-visualizer .app .br) in DNS Lookup (malware.rules)
  • 2053203 - ET MALWARE Allasenha/CarnavalHeist Related Domain (nf-e .pro) in DNS Lookup (malware.rules)
  • 2053273 - ET MALWARE UNC1151 Related Domain in DNS Lookup (goudieelectric .shop) (malware.rules)
  • 2053274 - ET MALWARE UNC1151 Related Domain in DNS Lookup (thevegan8 .shop) (malware.rules)
  • 2053275 - ET MALWARE Observed UNC1151 Related Domain (goudieelectric .shop) in TLS SNI (malware.rules)
  • 2053276 - ET MALWARE Observed UNC1151 Related Domain (thevegan8 .shop) in TLS SNI (malware.rules)
  • 2053278 - ET MALWARE Silverfox Related Domain in DNS Lookup (uiekjxw .net) (malware.rules)
  • 2054202 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agov-ch .net) (malware.rules)
  • 2054203 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agov-ch .com) (malware.rules)
  • 2054204 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (poseidon .cool) (malware.rules)
  • 2054205 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agovaccess-ch .com) (malware.rules)
  • 2054206 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agov-access .com) (malware.rules)
  • 2054207 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agov-access .net) (malware.rules)
  • 2054208 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (register-agov .com) (malware.rules)
  • 2054209 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (register-agov .net) (malware.rules)
  • 2054210 - ET MALWARE Observed Poseidon Stealer Related Domain (agov-ch .net) in TLS SNI (malware.rules)
  • 2054211 - ET MALWARE Observed Poseidon Stealer Related Domain (agov-ch .com) in TLS SNI (malware.rules)
  • 2054212 - ET MALWARE Observed Poseidon Stealer Related Domain (poseidon .cool) in TLS SNI (malware.rules)
  • 2054213 - ET MALWARE Observed Poseidon Stealer Related Domain (agovaccess-ch .com) in TLS SNI (malware.rules)
  • 2054214 - ET MALWARE Observed Poseidon Stealer Related Domain (agov-access .com) in TLS SNI (malware.rules)
  • 2054215 - ET MALWARE Observed Poseidon Stealer Related Domain (agov-access .net) in TLS SNI (malware.rules)
  • 2054216 - ET MALWARE Observed Poseidon Stealer Related Domain (register-agov .com) in TLS SNI (malware.rules)
  • 2054217 - ET MALWARE Observed Poseidon Stealer Related Domain (register-agov .net) in TLS SNI (malware.rules)
  • 2054799 - ET MALWARE TA426/Zebrocy Related Domain in DNS Lookup (trust-certificate .net) (malware.rules)
  • 2054801 - ET MALWARE TA426/Zebrocy Related Domain in DNS Lookup (enrollmentdm .com) (malware.rules)
  • 2054802 - ET MALWARE Observed TA426/Zebrocy Domain (trust-certificate .net) in TLS SNI (malware.rules)
  • 2054803 - ET MALWARE Observed TA426/Zebrocy Domain (enrollmentdm .com) in TLS SNI (malware.rules)
  • 2054814 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus .ru) (mobile_malware.rules)
  • 2054815 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (toxicodendron .ru) (mobile_malware.rules)
  • 2054816 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus-ca .ru) (mobile_malware.rules)
  • 2054817 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus .su) (mobile_malware.rules)
  • 2054818 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus-cc .ru) (mobile_malware.rules)
  • 2054819 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus-cb .ru) (mobile_malware.rules)
  • 2054822 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus .ru) in TLS SNI (mobile_malware.rules)
  • 2054823 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (toxicodendron .ru) in TLS SNI (mobile_malware.rules)
  • 2054824 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus-ca .ru) in TLS SNI (mobile_malware.rules)
  • 2054825 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus .su) in TLS SNI (mobile_malware.rules)
  • 2054826 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus-cc .ru) in TLS SNI (mobile_malware.rules)
  • 2054827 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus-cb .ru) in TLS SNI (mobile_malware.rules)
  • 2054829 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pddbj .xyz) (malware.rules)
  • 2054830 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pcvcf .xyz) (malware.rules)
  • 2054831 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (ptdrf .xyz) (malware.rules)
  • 2054832 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pbpbj .xyz) (malware.rules)
  • 2054833 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pdddj .xyz) (malware.rules)
  • 2054834 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pqdrf .xyz) (malware.rules)
  • 2054835 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pdddk .xyz) (malware.rules)
  • 2054836 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pcvvf .xyz) (malware.rules)
  • 2054837 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pbdbj .xyz) (malware.rules)
  • 2054838 - ET MALWARE Observed ACR Stealer Domain (pddbj .xyz) in TLS SNI (malware.rules)
  • 2054839 - ET MALWARE Observed ACR Stealer Domain (pcvcf .xyz) in TLS SNI (malware.rules)
  • 2054840 - ET MALWARE Observed ACR Stealer Domain (ptdrf .xyz) in TLS SNI (malware.rules)
  • 2054841 - ET MALWARE Observed ACR Stealer Domain (pbpbj .xyz) in TLS SNI (malware.rules)
  • 2054842 - ET MALWARE Observed ACR Stealer Domain (pdddj .xyz) in TLS SNI (malware.rules)
  • 2054843 - ET MALWARE Observed ACR Stealer Domain (pqdrf .xyz) in TLS SNI (malware.rules)
  • 2054844 - ET MALWARE Observed ACR Stealer Domain (pdddk .xyz) in TLS SNI (malware.rules)
  • 2054845 - ET MALWARE Observed ACR Stealer Domain (pcvvf .xyz) in TLS SNI (malware.rules)
  • 2054846 - ET MALWARE Observed ACR Stealer Domain (pbdbj .xyz) in TLS SNI (malware.rules)
  • 2054847 - ET MALWARE Unknown Loader CnC Domain in DNS Lookup (scratchedcards .com) (malware.rules)
  • 2054848 - ET MALWARE Unknown Loader CnC Domain in DNS Lookup (21centuryart .com) (malware.rules)
  • 2054849 - ET MALWARE Unknown Loader CnC Domain in DNS Lookup (proffyrobharborye .xyz) (malware.rules)
  • 2054850 - ET MALWARE Unknown Loader CnC Domain in DNS Lookup (answerrsdo .shop) (malware.rules)
  • 2054896 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (evotoforpc .net) (malware.rules)
  • 2054897 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (support-team-account .fbb2024-20 .click) (malware.rules)
  • 2054898 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (withthreekitties .itsm-us1 .comodo .com) (malware.rules)
  • 2054899 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (businesscenter .fbb16 .click) (malware.rules)
  • 2054900 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (nigx2a-msp .itsm-us1 .comodo .com) (malware.rules)
  • 2054901 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (metaverifybusiness .sp247 .click) (malware.rules)
  • 2054902 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (itstrq .itsm-us1 .comodo .com) (malware.rules)
  • 2054903 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (evotophoto .com) (malware.rules)
  • 2054904 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (techsupportcenter1902 .click) (malware.rules)
  • 2054905 - ET MALWARE Observed Social Media Malvertising Related Domain (evotoforpc .net) in TLS SNI (malware.rules)
  • 2054906 - ET MALWARE Observed Social Media Malvertising Related Domain (support-team-account .fbb2024-20 .click) in TLS SNI (malware.rules)
  • 2054907 - ET MALWARE Observed Social Media Malvertising Related Domain (withthreekitties .itsm-us1 .comodo .com) in TLS SNI (malware.rules)
  • 2054908 - ET MALWARE Observed Social Media Malvertising Related Domain (businesscenter .fbb16 .click) in TLS SNI (malware.rules)
  • 2054909 - ET MALWARE Observed Social Media Malvertising Related Domain (nigx2a-msp .itsm-us1 .comodo .com) in TLS SNI (malware.rules)
  • 2054910 - ET MALWARE Observed Social Media Malvertising Related Domain (metaverifybusiness .sp247 .click) in TLS SNI (malware.rules)
  • 2054911 - ET MALWARE Observed Social Media Malvertising Related Domain (itstrq .itsm-us1 .comodo .com) in TLS SNI (malware.rules)
  • 2054912 - ET MALWARE Observed Social Media Malvertising Related Domain (evotophoto .com) in TLS SNI (malware.rules)
  • 2054913 - ET MALWARE Observed Social Media Malvertising Related Domain (techsupportcenter1902 .click) in TLS SNI (malware.rules)
  • 2055451 - ET MOBILE_MALWARE Android/Ngate Domain in DNS Lookup (rb-62d3a .tbc-app .life) (mobile_malware.rules)
  • 2055452 - ET MOBILE_MALWARE Android/Ngate Domain in DNS Lookup (rb .2f1c0b7d .tbc-app .life) (mobile_malware.rules)
  • 2055453 - ET MOBILE_MALWARE Android/Ngate Domain in DNS Lookup (geo-4bfa49b2 .tbc-app .life) (mobile_malware.rules)
  • 2055454 - ET MOBILE_MALWARE Android/Ngate Domain in DNS Lookup (csob-93ef49e7a .tbc-app .life) (mobile_malware.rules)
  • 2055455 - ET MOBILE_MALWARE Android/Ngate Domain in DNS Lookup (george .tbc-app .life) (mobile_malware.rules)
  • 2055456 - ET MOBILE_MALWARE Android/Ngate Domain in DNS Lookup (raiffeisen-cz .eu) (mobile_malware.rules)
  • 2055457 - ET MOBILE_MALWARE Android/Ngate Domain in DNS Lookup (client .nfcpay .workers .dev) (mobile_malware.rules)
  • 2055458 - ET MOBILE_MALWARE Android/Ngate Domain in DNS Lookup (app .mobil-csob-cz .eu) (mobile_malware.rules)
  • 2055459 - ET MOBILE_MALWARE Observed Android/Ngate Domain (rb-62d3a .tbc-app .life) in TLS SNI (mobile_malware.rules)
  • 2055460 - ET MOBILE_MALWARE Observed Android/Ngate Domain (rb .2f1c0b7d .tbc-app .life) in TLS SNI (mobile_malware.rules)
  • 2055461 - ET MOBILE_MALWARE Observed Android/Ngate Domain (geo-4bfa49b2 .tbc-app .life) in TLS SNI (mobile_malware.rules)
  • 2055462 - ET MOBILE_MALWARE Observed Android/Ngate Domain (csob-93ef49e7a .tbc-app .life) in TLS SNI (mobile_malware.rules)
  • 2055463 - ET MOBILE_MALWARE Observed Android/Ngate Domain (george .tbc-app .life) in TLS SNI (mobile_malware.rules)
  • 2055464 - ET MOBILE_MALWARE Observed Android/Ngate Domain (raiffeisen-cz .eu) in TLS SNI (mobile_malware.rules)
  • 2055465 - ET MOBILE_MALWARE Observed Android/Ngate Domain (client .nfcpay .workers .dev) in TLS SNI (mobile_malware.rules)
  • 2055466 - ET MOBILE_MALWARE Observed Android/Ngate Domain (app .mobil-csob-cz .eu) in TLS SNI (mobile_malware.rules)
  • 2055511 - ET MALWARE Moonpeak RAT Related Domain in DNS Lookup (yoiroyse .store) (malware.rules)
  • 2055512 - ET MALWARE Moonpeak RAT Related Domain in DNS Lookup (pumaria .store) (malware.rules)
  • 2055513 - ET MALWARE Moonpeak RAT Related Domain in DNS Lookup (nmailhostserver .store) (malware.rules)
  • 2055514 - ET MALWARE Moonpeak RAT Related Domain in DNS Lookup (nsonlines .store) (malware.rules)
  • 2055515 - ET MALWARE Observed Moonpeak RAT Related Domain (yoiroyse .store) in TLS SNI (malware.rules)
  • 2055516 - ET MALWARE Observed Moonpeak RAT Related Domain (pumaria .store) in TLS SNI (malware.rules)
  • 2055517 - ET MALWARE Observed Moonpeak RAT Related Domain (nmailhostserver .store) in TLS SNI (malware.rules)
  • 2055518 - ET MALWARE Observed Moonpeak RAT Related Domain (nsonlines .store) in TLS SNI (malware.rules)
  • 2055588 - ET MALWARE TA452 CnC Domain in DNS Lookup (portal .sharjahconnect .online) (malware.rules)
  • 2055589 - ET MALWARE Observed TA452 Domain (portal .sharjahconnect .online) in TLS SNI (malware.rules)
  • 2056436 - ET INFO Observed Vultr CDN/Object Storage Domain (vultrobjects .com) in TLS SNI (info.rules)
  • 2856923 - ETPRO MALWARE UNK_SweetSpecter SugarGh0st CnC Domain in DNS Lookup (malware.rules)
  • 2856924 - ETPRO MALWARE UNK_SweetSpecter SugarGh0st CnC Domain in TLS SNI (malware.rules)
  • 2857030 - ETPRO MALWARE APT36/Transparent Tribe Related Domain in DNS Lookup (malware.rules)
  • 2857031 - ETPRO MALWARE Observed APT36/Transparent Tribe Domain in TLS SNI (malware.rules)

Removed rules:

  • 2052024 - ET MALWARE Possible UPSTYLE Command Output Retrieval Attempt (malware.rules)
  • 2052270 - ET MALWARE Possible LINE RUNNER Backdoor Connection Attempt (malware.rules)