IP Address | Port | Hostname | |
---|---|---|---|
Source | 8.8.4.4 | domain (53) | google-public-dns-b.google.com |
Destination | (local) | 1895 |
000 : 00 00 81 83 00 01 00 00 00 01 00 00 0c 6d 6d 6d .............mmm
010 : 6d 6d 6d 6d 6d 6d 6d 6d 6d 03 63 6f 6d 00 00 0f mmmmmmmmm.com...
020 : 00 01 c0 19 00 06 00 01 00 00 03 83 00 3d 01 61 .............=.a
030 : 0c 67 74 6c 64 2d 73 65 72 76 65 72 73 03 6e 65 .gtld-servers.ne
040 : 74 00 05 6e 73 74 6c 64 0c 76 65 72 69 73 69 67 t..nstld.verisig
050 : 6e 2d 67 72 73 c0 19 57 d8 82 b6 00 00 07 08 00 n-grs..W........
060 : 00 03 84 00 09 3a 80 00 01 51 80 .....:...Q.
Description:
- Tinba, or 'TinyBanker' is banking credentials stealing malware. Detailed background information can be found here:
False Positive:
- YES
- This rule detects query responses for second level domain names of length 12 (mmmmmmmmmmmm.com)
- A real detection would appear random.
- This is a good IOC, but prone to false positives.
Action:
- None
Comments