Ruleset Update Summary - 2024/11/18 - v10744

Ruleset Updates
1

Summary:

68 new OPEN, 109 new PRO (68 + 41)

Thanks @gmcirt

Added rules:

Open:

  • 2057635 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound (malware.rules)
  • 2057636 - ET MALWARE Win32/SocGholish Domain in DNS Lookup (dashnex .plexusmarket .fund) (malware.rules)
  • 2057637 - ET MALWARE Win32/SocGholish Domain in TLS SNI (dashnex .plexusmarket .fund) (malware.rules)
  • 2057638 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bed-cobweb .cyou) (malware.rules)
  • 2057639 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bed-cobweb .cyou in TLS SNI) (malware.rules)
  • 2057640 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dreamecho .shop) (malware.rules)
  • 2057641 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dreamecho .shop in TLS SNI) (malware.rules)
  • 2057642 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dudtybresah .cyou) (malware.rules)
  • 2057643 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dudtybresah .cyou in TLS SNI) (malware.rules)
  • 2057644 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (halttbindsj .shop) (malware.rules)
  • 2057645 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (halttbindsj .shop in TLS SNI) (malware.rules)
  • 2057646 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz) (malware.rules)
  • 2057647 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI) (malware.rules)
  • 2057648 - ET INFO DYNAMIC_DNS Query to a *.600912 .com domain (info.rules)
  • 2057649 - ET INFO DYNAMIC_DNS HTTP Request to a *.600912 .com domain (info.rules)
  • 2057650 - ET INFO DYNAMIC_DNS Query to a *.millersmobilemarine .com domain (info.rules)
  • 2057651 - ET INFO DYNAMIC_DNS HTTP Request to a *.millersmobilemarine .com domain (info.rules)
  • 2057652 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs) (malware.rules)
  • 2057653 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (3xp3cts1aim .sbs in TLS SNI) (malware.rules)
  • 2057654 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs) (malware.rules)
  • 2057655 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (befall-sm0ker .sbs in TLS SNI) (malware.rules)
  • 2057656 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (c0al1t1onmatch .cyou) (malware.rules)
  • 2057657 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (c0al1t1onmatch .cyou in TLS SNI) (malware.rules)
  • 2057658 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) (malware.rules)
  • 2057659 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) (malware.rules)
  • 2057660 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs) (malware.rules)
  • 2057661 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (owner-vacat10n .sbs in TLS SNI) (malware.rules)
  • 2057662 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs) (malware.rules)
  • 2057663 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (p10tgrace .sbs in TLS SNI) (malware.rules)
  • 2057664 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p3ar11fter .sbs) (malware.rules)
  • 2057665 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (p3ar11fter .sbs in TLS SNI) (malware.rules)
  • 2057666 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs) (malware.rules)
  • 2057667 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (peepburry828 .sbs in TLS SNI) (malware.rules)
  • 2057668 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) (malware.rules)
  • 2057669 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (processhol .sbs in TLS SNI) (malware.rules)
  • 2057670 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sector-essay .cyou) (malware.rules)
  • 2057671 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) (malware.rules)
  • 2057672 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sliperyedhby .icu) (malware.rules)
  • 2057673 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sliperyedhby .icu in TLS SNI) (malware.rules)
  • 2057674 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (voter-screnn .cyou) (malware.rules)
  • 2057675 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (voter-screnn .cyou in TLS SNI) (malware.rules)
  • 2057676 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (eliztalks .com) (exploit_kit.rules)
  • 2057677 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (eliztalks .com) (exploit_kit.rules)
  • 2057678 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (franklinida .com) (exploit_kit.rules)
  • 2057679 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (franklinida .com) (exploit_kit.rules)
  • 2057680 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .staff .plenarykcg .com) (malware.rules)
  • 2057681 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .staff .plenarykcg .com) (malware.rules)
  • 2057682 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (acrith0t .cyou) (malware.rules)
  • 2057683 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (acrith0t .cyou in TLS SNI) (malware.rules)
  • 2057684 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bab120witty .sbs) (malware.rules)
  • 2057685 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bab120witty .sbs in TLS SNI) (malware.rules)
  • 2057686 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brakeritonb .icu) (malware.rules)
  • 2057687 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brakeritonb .icu in TLS SNI) (malware.rules)
  • 2057688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (petshopsg .com) (exploit_kit.rules)
  • 2057689 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (petshopsg .com) (exploit_kit.rules)
  • 2057690 - ET EXPLOIT Fortinet FortiManager Unauthenticated Get File Transfer Handle (exploit.rules)
  • 2057691 - ET EXPLOIT Fortinet FortiManager File Transfer Handle Response (exploit.rules)
  • 2057692 - ET EXPLOIT Fortinet FortiManager Unauthenticated Remote Code Execution (CVE-2024-47575) M1 (exploit.rules)
  • 2057693 - ET EXPLOIT Fortinet FortiManager Unauthenticated Open Server-Side Channel (exploit.rules)
  • 2057694 - ET EXPLOIT Fortinet FortiManager Unauthenticated Remote Code Execution (CVE-2024-47575) M2 (exploit.rules)
  • 2057695 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs) (malware.rules)
  • 2057696 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs) (malware.rules)
  • 2057697 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) (malware.rules)
  • 2057698 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs) (malware.rules)
  • 2057699 - ET MALWARE Observed Lumma Stealer Domain (3xp3cts1aim .sbs in TLS SNI) (malware.rules)
  • 2057700 - ET MALWARE Observed Lumma Stealer Domain (peepburry828 .sbs in TLS SNI) (malware.rules)
  • 2057701 - ET MALWARE Observed Lumma Stealer Domain (processhol .sbs in TLS SNI) (malware.rules)
  • 2057702 - ET MALWARE Observed Lumma Stealer Domain (p3ar11fter .sbs in TLS SNI) (malware.rules)

Pro:

  • 2859046 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859047 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859048 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859049 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859050 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2859051 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859052 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2859053 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859054 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2859055 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859056 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859057 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2859058 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859059 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2859060 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2859061 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859062 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859063 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859064 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859065 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859066 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859067 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859068 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859069 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859070 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859071 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859072 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2859073 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2859074 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2859075 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2859076 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859077 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2859078 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859079 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2859080 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859081 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859082 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2859083 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859084 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2859085 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2859086 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)