SID 1:48176

Report a false positive

Rule Category

MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc.

Alert Message

MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt

Rule Explanation

This event is generated when client system tries to download GhostPuppet malicious document Impact: A Network Trojan was detected Details: Malicious HWP IOCs: 089d368dfb814274883927ceca1335e1672766af8160ac5d493ff57e4617a892 089d368dfb814274883927ceca1335e1672766af8160ac5d493ff57e4617a892 349b8afa3a1daf495e7178b563a7de3f58d6c63140d042cc08be5770d03bd8f5 349b8afa3a1daf495e7178b563a7de3f58d6c63140d042cc08be5770d03bd8f5 3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e 3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e 485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f 485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f 4a17324aa55f5353ecd38f34e06e246e971e36ec1bb5180ae8218a59b035f462 4a17324aa55f5353ecd38f34e06e246e971e36ec1bb5180ae8218a59b035f462 596fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6 596fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6 862250f9b50e46276043715ea32236bd8bb4b875213d83c14f2dcd79854847c6 862250f9b50e46276043715ea32236bd8bb4b875213d83c14f2dcd79854847c6 8e0f0cc87b9d80e5928cf19fe273cde28978ec31b3115f978fa8de2723d470a5 8e0f0cc87b9d80e5928cf19fe273cde28978ec31b3115f978fa8de2723d470a5 9c3221dfc49b159f032eda70e8cb207c60e73ea5f51f9ddc90629292deacf90c 9c3221dfc49b159f032eda70e8cb207c60e73ea5f51f9ddc90629292deacf90c a299bdc3fc07def4b0d5a409484f4717884a78749796960a560a9b30fab2435b a299bdc3fc07def4b0d5a409484f4717884a78749796960a560a9b30fab2435b a9d579819370e860ece7890c3490cde17a41f56a63452066c67799191b1ac0ef a9d579819370e860ece7890c3490cde17a41f56a63452066c67799191b1ac0ef bf1eb0d3601ec35e4419d43d1610e07f0c1a7ae72e36fa8b8846166333a44f2f bf1eb0d3601ec35e4419d43d1610e07f0c1a7ae72e36fa8b8846166333a44f2f c68e996fb9021bb7c316d9d5f9dad9251ec91989152f8908a5ccf1f7e2f581df c68e996fb9021bb7c316d9d5f9dad9251ec91989152f8908a5ccf1f7e2f581df cfaff9d2130794ca4d548615bcc19abfaae388f042f306b898399594833c41ee cfaff9d2130794ca4d548615bcc19abfaae388f042f306b898399594833c41ee d30cb50641ff79fa059fbf1950047d2e34eb3e9ee7b5ff5cced0912160d3edb9 d30cb50641ff79fa059fbf1950047d2e34eb3e9ee7b5ff5cced0912160d3edb9 e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431 e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431 Ease of Attack:

What To Look For

No information provided

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

None

Additional Links

virustotal.com/#/file/9c3221dfc49b159f032eda70e8cb207c60e73ea5f51f9ddc90629292deacf90c/detection

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None