Ruleset Update Summary - 2024/11/15 - v10743

rulesbot · November 15, 2024, 9:35pm

Summary:

66 new OPEN, 85 new PRO (66 + 19)

Thanks @Unit42_Intel

Added rules:

Open:

2057569 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (1212tank .activitydmy .icu) (malware.rules)
2057570 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (1212tank .activitydmy .icu in TLS SNI) (malware.rules)
2057571 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brake-effect .cyou) (malware.rules)
2057572 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brake-effect .cyou in TLS SNI) (malware.rules)
2057573 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (expectegirn .icu) (malware.rules)
2057574 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (expectegirn .icu in TLS SNI) (malware.rules)
2057575 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kettletakkz .fun) (malware.rules)
2057576 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (kettletakkz .fun in TLS SNI) (malware.rules)
2057577 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (promotechangez .cyou) (malware.rules)
2057578 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (promotechangez .cyou in TLS SNI) (malware.rules)
2057579 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wackysheibr .fun) (malware.rules)
2057580 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wackysheibr .fun in TLS SNI) (malware.rules)
2057581 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washcolorediz .fun) (malware.rules)
2057582 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (washcolorediz .fun in TLS SNI) (malware.rules)
2057583 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (rhinophidae .bond) (malware.rules)
2057584 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (free-handedness .yachts) (malware.rules)
2057585 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (viticulture .rest) (malware.rules)
2057586 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (unfoolishly .christmas) (malware.rules)
2057587 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (concurrences .makeup) (malware.rules)
2057588 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (luminosity .lol) (malware.rules)
2057589 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (simple-life .lol) (malware.rules)
2057590 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (superaccumulate .mom) (malware.rules)
2057591 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (dogtrotted .cyou) (malware.rules)
2057592 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (summer-breathing .motorcycles) (malware.rules)
2057593 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (uteromaniacal .makeup) (malware.rules)
2057594 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (noncancerous .beauty) (malware.rules)
2057595 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (bright-witted .skin) (malware.rules)
2057596 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (deoppilant .monster) (malware.rules)
2057597 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (sulphamidic .mom) (malware.rules)
2057598 - ET MALWARE Observed DNS Query to Raspberry Robin Domain (malalignment .bond) (malware.rules)
2057599 - ET MALWARE Observed Raspberry Robin Domain (rhinophidae .bond in TLS SNI) (malware.rules)
2057600 - ET MALWARE Observed Raspberry Robin Domain (free-handedness .yachts in TLS SNI) (malware.rules)
2057601 - ET MALWARE Observed Raspberry Robin Domain (viticulture .rest in TLS SNI) (malware.rules)
2057602 - ET MALWARE Observed Raspberry Robin Domain (unfoolishly .christmas in TLS SNI) (malware.rules)
2057603 - ET MALWARE Observed Raspberry Robin Domain (concurrences .makeup in TLS SNI) (malware.rules)
2057604 - ET MALWARE Observed Raspberry Robin Domain (luminosity .lol in TLS SNI) (malware.rules)
2057605 - ET MALWARE Observed Raspberry Robin Domain (simple-life .lol in TLS SNI) (malware.rules)
2057606 - ET MALWARE Observed Raspberry Robin Domain (superaccumulate .mom in TLS SNI) (malware.rules)
2057607 - ET MALWARE Observed Raspberry Robin Domain (dogtrotted .cyou in TLS SNI) (malware.rules)
2057608 - ET MALWARE Observed Raspberry Robin Domain (summer-breathing .motorcycles in TLS SNI) (malware.rules)
2057609 - ET MALWARE Observed Raspberry Robin Domain (uteromaniacal .makeup in TLS SNI) (malware.rules)
2057610 - ET MALWARE Observed Raspberry Robin Domain (noncancerous .beauty in TLS SNI) (malware.rules)
2057611 - ET MALWARE Observed Raspberry Robin Domain (bright-witted .skin in TLS SNI) (malware.rules)
2057612 - ET MALWARE Observed Raspberry Robin Domain (deoppilant .monster in TLS SNI) (malware.rules)
2057613 - ET MALWARE Observed Raspberry Robin Domain (sulphamidic .mom in TLS SNI) (malware.rules)
2057614 - ET MALWARE Observed Raspberry Robin Domain (malalignment .bond in TLS SNI) (malware.rules)
2057615 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (1212tank .activitydmy .icu) (malware.rules)
2057616 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (1212tank .activitydmy .icu in TLS SNI) (malware.rules)
2057617 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brake-effect .cyou) (malware.rules)
2057618 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brake-effect .cyou in TLS SNI) (malware.rules)
2057619 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (expectegirn .icu) (malware.rules)
2057620 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (expectegirn .icu in TLS SNI) (malware.rules)
2057621 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kettletakkz .fun) (malware.rules)
2057622 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (kettletakkz .fun in TLS SNI) (malware.rules)
2057623 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (promotechangez .cyou) (malware.rules)
2057624 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (promotechangez .cyou in TLS SNI) (malware.rules)
2057625 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wackysheibr .fun) (malware.rules)
2057626 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wackysheibr .fun in TLS SNI) (malware.rules)
2057627 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washcolorediz .fun) (malware.rules)
2057628 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (washcolorediz .fun in TLS SNI) (malware.rules)
2057629 - ET INFO DYNAMIC_DNS Query to a *.westindiaquay .com domain (info.rules)
2057630 - ET INFO DYNAMIC_DNS HTTP Request to a *.westindiaquay .com domain (info.rules)
2057631 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rshank .com) (exploit_kit.rules)
2057632 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (rshank .com) (exploit_kit.rules)
2057633 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (crickout .com) (exploit_kit.rules)
2057634 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (crickout .com) (exploit_kit.rules)

Pro:

2859027 - ETPRO MALWARE SocGholish CnC Initial Request M8 (malware.rules)
2859028 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2859029 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859030 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2859031 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2859032 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2859033 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2859034 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2859035 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2859036 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to VexTrio (9d252) (exploit_kit.rules)
2859037 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2859038 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859039 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2859040 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2859041 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2859042 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2859043 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2859044 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2859045 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/11/12 - v10740 Ruleset Updates	83	November 12, 2024
Ruleset Update Summary - 2024/03/11 - v10549 Ruleset Updates	932	March 11, 2024
Ruleset Update Summary - 2024/11/11 - v10739 Ruleset Updates	76	November 11, 2024
Ruleset Update Summary - 2024/03/08 - v10548 Ruleset Updates	238	March 8, 2024
Ruleset Update Summary - 2024/02/20 - v10536 Ruleset Updates	486	February 20, 2024

Ruleset Update Summary - 2024/11/15 - v10743

Summary:

Added rules:

Open:

Pro:

Related topics