""ET MALWARE DNS Query to Neoreklami Domain (133455789 .xyz)""

SID: 2045706

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2023_05_15, deployment Perimeter, malware_family PUP, updated_at 2023_05_15, reviewed_at 2024_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking

Reference:

• Link

Protocol: udp

Source Network: $HOME_NET

Source Port: any

Destination Network: any

Destination Port: 53

Flow:

Contents:

• Value: "|01|" Depth: 1 Offset: 2

• Value: "|00 01 00 00 00 00 00|"

• Value: "|09|133455789|03|xyz|00|"

Within: 7

PCRE:

Special Options:

• fast_pattern

• nocase

source