Ruleset Update Summary - 2024/11/11 - v10739

Summary:

48 new OPEN, 124 new PRO (48 + 76)


Added rules:

Open:

  • 2057334 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brownieyuz .sbs) (malware.rules)
  • 2057335 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brownieyuz .sbs in TLS SNI) (malware.rules)
  • 2057336 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dominatez .cyou) (malware.rules)
  • 2057337 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dominatez .cyou in TLS SNI) (malware.rules)
  • 2057338 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ducksringjk .sbs) (malware.rules)
  • 2057339 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ducksringjk .sbs in TLS SNI) (malware.rules)
  • 2057340 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explainvees .sbs) (malware.rules)
  • 2057341 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explainvees .sbs in TLS SNI) (malware.rules)
  • 2057342 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (geerkenmsu .shop) (malware.rules)
  • 2057343 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (geerkenmsu .shop in TLS SNI) (malware.rules)
  • 2057344 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relalingj .sbs) (malware.rules)
  • 2057345 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (relalingj .sbs in TLS SNI) (malware.rules)
  • 2057346 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (repostebhu .sbs) (malware.rules)
  • 2057347 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (repostebhu .sbs in TLS SNI) (malware.rules)
  • 2057348 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rottieud .sbs) (malware.rules)
  • 2057349 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rottieud .sbs in TLS SNI) (malware.rules)
  • 2057350 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tamedgeesy .sbs) (malware.rules)
  • 2057351 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tamedgeesy .sbs in TLS SNI) (malware.rules)
  • 2057352 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (terracedjz .cyou) (malware.rules)
  • 2057353 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (terracedjz .cyou in TLS SNI) (malware.rules)
  • 2057354 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinkyyokej .sbs) (malware.rules)
  • 2057355 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thinkyyokej .sbs in TLS SNI) (malware.rules)
  • 2057356 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3number .employerdbz .icu) (malware.rules)
  • 2057357 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (3number .employerdbz .icu in TLS SNI) (malware.rules)
  • 2057358 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (olduenduyz .fun) (malware.rules)
  • 2057359 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (olduenduyz .fun in TLS SNI) (malware.rules)
  • 2057360 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pragapin .sbs) (malware.rules)
  • 2057361 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pragapin .sbs in TLS SNI) (malware.rules)
  • 2057362 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slippyhost .cfd) (malware.rules)
  • 2057363 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (slippyhost .cfd in TLS SNI) (malware.rules)
  • 2057364 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .events .socalpocis .org) (malware.rules)
  • 2057365 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .events .socalpocis .org) (malware.rules)
  • 2057366 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dayeyerhb .cyou) (malware.rules)
  • 2057367 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dayeyerhb .cyou in TLS SNI) (malware.rules)
  • 2057368 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (frannbradnj .icu) (malware.rules)
  • 2057369 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (frannbradnj .icu in TLS SNI) (malware.rules)
  • 2057370 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hellishaluhg .fun) (malware.rules)
  • 2057371 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hellishaluhg .fun in TLS SNI) (malware.rules)
  • 2057372 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (traveljournal-techinsights .shop) (malware.rules)
  • 2057373 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (traveljournal-techinsights .shop in TLS SNI) (malware.rules)
  • 2057374 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wellnesshub-chefparadise .shop) (malware.rules)
  • 2057375 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wellnesshub-chefparadise .shop in TLS SNI) (malware.rules)
  • 2057376 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zanymarkedjz .fun) (malware.rules)
  • 2057377 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zanymarkedjz .fun in TLS SNI) (malware.rules)
  • 2057378 - ET INFO DNS Request to Commonly Actor Abused Email Marketing Domain (fdske .com) (info.rules)
  • 2057379 - ET INFO Observed Commonly Actor Abused Email Marketing Domain (fdske .com in TLS SNI) (info.rules)
  • 2057380 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (culinarycanvasgrilling .com) (exploit_kit.rules)
  • 2057381 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (culinarycanvasgrilling .com) (exploit_kit.rules)

Pro:

  • 2858931 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2858932 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858933 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2858934 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2858935 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2858936 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2858937 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2858938 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2858939 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2858940 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858941 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858942 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858943 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2858944 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2858945 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2858946 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2858947 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2858948 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2858949 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2858950 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2858951 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2858952 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2858953 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2858954 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858955 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858956 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858957 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2858958 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2858959 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2858960 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2858961 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2858962 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2858963 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2858964 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2858965 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2858966 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2858967 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2858968 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2858969 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2858970 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2858971 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858972 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2858973 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2858974 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2858975 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2858976 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2858977 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2858978 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2858979 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858980 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858981 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858982 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2858983 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2858984 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2858985 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2858986 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2858987 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2858988 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2858989 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2858990 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2858991 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2858992 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2858993 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2858994 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2858995 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2858996 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2858997 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to VexTrio (7d7f8) (exploit_kit.rules)
  • 2858998 - ETPRO PHISHING Observed DNS Query to Social Security Administration Impersonation Domain (phishing.rules)
  • 2858999 - ETPRO PHISHING Observed Social Security Administration Impersonation Domain in TLS SNI (phishing.rules)
  • 2859000 - ETPRO MALWARE ScreenConnect Config Inbound Originating From Telegram API (malware.rules)
  • 2859001 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859002 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859003 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859004 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859005 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859006 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)