{"id":5691,"date":"2023-08-31T07:27:51","date_gmt":"2023-08-31T07:27:51","guid":{"rendered":"\/cybersecurity-blog\/?p=5691"},"modified":"2023-08-31T07:32:03","modified_gmt":"2023-08-31T07:32:03","slug":"release-notes-august-2023","status":"publish","type":"post","link":"\/cybersecurity-blog\/release-notes-august-2023\/","title":{"rendered":"Release Notes: New Config Extractors, Suricata Rules, and More\u00a0"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<p>Welcome back to <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=releasenotes0823&amp;utm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s monthly update series where we keep you in the loop on the progress we\u2019ve made.\u00a0<\/p>\n\n\n\n<p>Continuing from last month, the team at ANY.RUN has been hard at work. We&#8217;ve rolled out more features, ramped up our threat detection capabilities, and added new rules.&nbsp;<\/p>\n\n\n\n<p>Let&#8217;s dive into the details.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Product updates&nbsp;<\/h2>\n\n\n\n<p><strong>New detection logic for IP, URL, Domain<\/strong>. The overhauled logic enables more robust detection of malicious IPs,<strong> <\/strong>URLs,\u00a0and domains.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">New malware config extractors and fixes&nbsp;<\/h2>\n\n\n\n<p>We\u2019ve added support for several new malware and improved detection capabilities for families that were already supported.\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lu0Bot support&nbsp;&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/4696b947-92f0-4413-95dc-644c45ca99a6?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">Lu0Bot<\/a> uses Node.js and heavily obfuscates its code. It starts by unpacking an SFX file, passes byte data to node input, then decrypts and executes the main JS code. Functions include string decryption using its own cipher suite like base64 and RC4, domain assembly, PC info collection, and AES-128-cbc encryption for traffic.\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"974\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26.png\" alt=\"Lu0Bot support\u00a0in ANY.RUN\" class=\"wp-image-5693\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26.png 974w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-300x181.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-768x463.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-370x223.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-270x163.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-740x446.png 740w\" sizes=\"(max-width: 974px) 100vw, 974px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Strela extractor and new YARA rules&nbsp;&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/958383cf-6dda-4eae-a362-29de874c313a\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">Strela<\/a> is a stealer that specializes in stealing email credentials from Thunderbird and Outlook applications. The malware itself is relatively simple, but its analysis is complicated by the packer layer.\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"974\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26.png\" alt=\"Strela extractor and new YARA rules\u00a0\u00a0 in ANY.RUN\" class=\"wp-image-5692\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26.png 974w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-300x181.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-768x463.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-370x223.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-270x163.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-26-740x446.png 740w\" sizes=\"(max-width: 974px) 100vw, 974px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">RaccoonClipper extractor and new YARA rules&nbsp;&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/edc3ca24-bc9b-4737-bae1-b6b456f8ac95?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">RaccoonClipper<\/a> is a clipper from the developers of RaccoonStealer. This malware accesses the clipboard and swaps cryptocurrency wallets of\u00a0its victims with wallets belonging to the attackers.\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"977\" height=\"660\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-27.png\" alt=\"RaccoonClipper extractor in ANY.RUN\" class=\"wp-image-5694\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-27.png 977w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-27-300x203.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-27-768x519.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-27-370x250.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-27-270x182.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2023\/08\/image-27-740x500.png 740w\" sizes=\"(max-width: 977px) 100vw, 977px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Fixed extractor and rules for LummaStealer\u00a0\u00a0<\/h3>\n\n\n\n<p>We\u2019ve updated <a href=\"https:\/\/app.any.run\/tasks\/84d21e26-a5d6-4470-b32f-42c1507f0514?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">LummaStealer<\/a> rule and extractor to handle the changes implemented in the latest versions of this malware family:\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No longer includes build number in newer versions.&nbsp;<\/li>\n\n\n\n<li>Supports additional C2s, with priority given to mirror domains.&nbsp;<\/li>\n\n\n\n<li>Server response now in plain text, containing base64 encoded XOR key and JSON config.&nbsp;<\/li>\n\n\n\n<li>Operates in both stealer and bootloader modes.&nbsp;<\/li>\n\n\n\n<li>Hash included in config if mirror exists; &#8220;default&#8221; used if not.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The fix also addresses sample processing issues. In addition, config extraction is now compatible with the latest LummaID and C2 formats.\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nANY.RUN takes the grunt work out of <span class=\"highlight\">malware analysis<\/span> for researchers, SOC, and DFIR teams&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\" rel=\"noopener\" target=\"_blank\">\nGet started with a free account\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Additional updates and fixes&nbsp;<\/h2>\n\n\n\n<p>We&#8217;ve added a rule to detect KrakenStealer, also known as KrakenKeylogger, which is simply called <a href=\"https:\/\/app.any.run\/tasks\/a2a35c2d-ac14-4086-9e33-97a3257224dd?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">Kraken<\/a>. Written in .NET (VB), this malware steals browser data and account information, operates as a keylogger, takes screenshots, and lacks obfuscation. While many AV vendors incorrectly label it as SnakeKeylogger or MassKeylogger, our team made sure not to make that mistake. The malware sends data using one of the selected methods: SMTP, FTP, Telegram.\u00a0<\/p>\n\n\n\n<p>Another implemented small fix was related to <a href=\"https:\/\/app.any.run\/tasks\/bf175d50-9bd0-40af-8779-9a4bc340f7f4\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">AZORult<\/a>. Some samples weren&#8217;t processed by the extractor; this issue is now resolved. However, samples often complete before the extractor does. \u00a0<\/p>\n\n\n\n<p><strong>More additions include:\u00a0<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Updated extractor and YARA for GO LaplasClipper variations&nbsp;<\/li>\n\n\n\n<li>Updated RaccoonStealer extractor and YARA&nbsp;<\/li>\n\n\n\n<li>Updated extractor and YARA for StealC&nbsp;<\/li>\n\n\n\n<li>Updated Remcos extractor and YARA&nbsp;<\/li>\n\n\n\n<li>Separated tags between StormKitty and AsyncRAT&nbsp;<\/li>\n\n\n\n<li>Added support for extracting configuration from new XWorm types.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Network rules&nbsp;<\/h2>\n\n\n\n<p>In August, we focused on network rules heavily, writing 120 new Suricata rules. Here\u2019s some of the work that is worth highlighting:&nbsp;<\/p>\n\n\n\n<p><strong>New rules for detecting PovertyStealer activity: <\/strong>our rules for PovertyStealer were updated due to changes in the malware&#8217;s behavior. Check out the task on <a href=\"https:\/\/app.any.run\/tasks\/7bcdd299-9044-47f2-b8a0-9133e2e7728c?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> for details. Big thanks to the community and <a href=\"https:\/\/twitter.com\/g0njxa\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">g0njxa on Twitter<\/a> for catching this change. Our detection updates are shared <a href=\"https:\/\/community.emergingthreats.net\/t\/poverty-stealer\/839\/5\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">here<\/a>.\u00a0<\/p>\n\n\n\n<p><strong>August&#8217;s improvements in phishing detection.<\/strong> In August, we amped up our research on phishing, resulting in 51 new network rules. We analyzed extensive data sets from saved phishing sites, scavengers, and author tags. Our work in phishing detection is ongoing.&nbsp;<\/p>\n\n\n\n<p><strong>Fine-tuning file sharing policy violations<\/strong>. To avoid false positives, the rules related to file downloading from sharing services were calibrated. We now estimate the number of bytes received, ensuring we&#8217;re not flagging every service call.&nbsp;<\/p>\n\n\n\n<p><strong>Expanded clipper malware detection<\/strong>.\u00a0Added rules to catch the new Raccoon Clipper Activity variant. Have a look at the sandbox task <a href=\"https:\/\/app.any.run\/tasks\/4b445ff5-11de-4ac9-b208-6fd9c337d714?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a> for more details.\u00a0<\/p>\n\n\n\n<p><strong>.lnk file rule update. <\/strong>If a .lnk file contains a reference to an external DLL, you&#8217;ll now get notified via our new rule: SUSPICIOUS [ANY.RUN] Windows Shortcut File containing DLL on external server. Check out the basis for this rule <a href=\"https:\/\/app.any.run\/tasks\/d4a1f367-411b-4758-bb01-5180729b5486\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.\u00a0<\/p>\n\n\n\n<p><strong>BroExt payload and loader rules. <\/strong>We&#8217;ve rolled out new rules for BroExt. For payloads, we&#8217;ve flagged XORed Windows executables in Base64, with specific versions for BroExt and Oilrig. On the loader side, we&#8217;ve implemented a new rule focused on BroExt, potentially linked to Oilrig.&nbsp;<\/p>\n\n\n\n<p><strong>Rule update for Phemedrone Stealer detection. <\/strong>Phemedrone Stealer is now detectable via our newly implemented rule number 8000618. This enhances our ability to spot its reporting activities.&nbsp;<\/p>\n\n\n\n<p><strong>Extending coverage for Havoc C2.<\/strong> Our rules to detect Havoc&#8217;s modern command and control system is now extended. The new rule, BACKDOOR [ANY.RUN] Havoc (DEMON_MAGIC_VALUE), does the job. Take a look at a <a href=\"https:\/\/app.any.run\/tasks\/432b347c-4f84-4b11-9e46-c0d585d9c90a\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">sample with decrypted traffic<\/a>.\u00a0<\/p>\n\n\n\n<p><strong>ICMP tunnel backdoor flagged.<\/strong> A backdoor using an ICMP tunnel and UDP traffic is now flagged under BACKDOOR [ANY.RUN] ShellcodeRunner. This threat previously appeared under Chinese names. More info is available <a href=\"https:\/\/app.any.run\/tasks\/14b12684-c8e0-4490-b545-558a6130f740\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.\u00a0<\/p>\n\n\n\n<p><strong>Monitoring Phoenix Miner activity. <\/strong>Phoenix Miner isn&#8217;t malware, but it&#8217;s worth noting its network activity. For this, we&#8217;ve rolled out the rule MINER [ANY.RUN] Phoenix Miner. Check it out <a href=\"https:\/\/app.any.run\/tasks\/742d698a-f7dc-4048-aaea-2cee4a4a240d\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.\u00a0<\/p>\n\n\n\n<p><strong>DBatLoader rule with unique detection technique. <\/strong>DBatLoader often uses unblocked channels like Discord and OneDrive. This August, we crafted rule number 8000634, utilizing forbidden bigrams in English, to catch 17 samples. Searches can be conducted using the rule number.&nbsp;<\/p>\n\n\n\n<p><strong>JsOutProx rule enhancements.<\/strong> JsOutProx is an intricate attack framework blending Javascript and .NET. We&#8217;ve updated our existing rules to catch minor variations in content and HTTP headers.&nbsp;<\/p>\n\n\n\n<p><strong>StealC rules updated. <\/strong>Five new rules for Win32\/StealC have been rolled out. Community engagement helped refine these rules, and we&#8217;ve shared our finds <a href=\"https:\/\/community.emergingthreats.net\/t\/stealc-stealer\/856\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">here<\/a>.\u00a0<\/p>\n\n\n\n<p><strong>DarkGate loader detected. <\/strong>We&#8217;ve added a new rule, LOADER [ANY.RUN] DarkGate with the number 8000655, following the release of DarkGate&#8217;s new version in May 2023.&nbsp;<\/p>\n\n\n\n<p><strong>RootTeam Stealer adjustments. <\/strong>We updated our rules for RootTeam Stealer due to changes in its HTTP protocol data. Updates have been posted in the <a href=\"https:\/\/community.emergingthreats.net\/t\/rootteam-stealer-and-overlap-issues-on-bandit-stealer-rule-detection\/744\/3\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Emerging Threats<\/a> <a href=\"https:\/\/community.emergingthreats.net\/t\/rootteam-stealer-and-overlap-issues-on-bandit-stealer-rule-detection\/744\/3\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">community thread<\/a>.\u00a0<\/p>\n\n\n\n<p><strong>Mustang Panda&#8217;s PUBLOAD tool flagged. <\/strong>The APT group Mustang Panda updated PUBLOAD by adding an extra layer of Base64 encoding. We caught this and implemented new LOADER [ANY.RUN] PUBLOAD Activity rules.&nbsp;<\/p>\n\n\n\n<p><strong>New rule for Kraken Stealer. <\/strong>Kraken Stealer now has a specific rule in our repository for FTP exfiltration detection.&nbsp;<\/p>\n\n\n\n<p><strong>Casbaneiro loader variant covered. <\/strong>We&#8217;ve added a rule for a loader variant of Casbaneiro, the Latin American banking trojan. The new rule is LOADER [ANY.RUN] Casbaneiro sid: 8000716.&nbsp;<\/p>\n\n\n\n<p><strong>Rare stealer rule discovered via Twitter. <\/strong>A search on Twitter led us to a rare stealer. We&#8217;ve named the rule STEALER [ANY.RUN] StlFun and extended our thanks to <a href=\"https:\/\/twitter.com\/crep1x\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">crep1x on Twitter<\/a> for the discovery.\u00a0<\/p>\n\n\n\n    <div class=\"post-footer\">\n      <div class=\"post-footer-banner\">\n        <p class=\"post-footer-banner__text\">\n          Free <span>malware research<\/span> with ANY.RUN\n        <\/p>\n        <div class=\"post-footer-banner__button-warp\">\n          <a href=\"https:\/\/app.any.run\/#register\" id=\"post-footer-banner\" target=\"_blank\" class=\"post-footer-banner__button\">\n            Start Now!\n          <\/a>\n        <\/div>\n      <\/div>\n    <\/div>\n  \n\n\n\n<h2 class=\"wp-block-heading\">Contributing to Emerging Threats Community&nbsp;<\/h2>\n\n\n\n<p>This month, we\u2019ve continued submitting rules to the Emerging Threats community. Here\u2019s the list of our main contributions:&nbsp;<\/p>\n\n\n\n<p><strong>Parallax RAT now detectable.<\/strong>Thanks to a <a href=\"https:\/\/twitter.com\/James_inthe_box\/status\/1689027430668025856?s=20\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Twitter tip<\/a>, we identified previously elusive Parallax RAT traffic. Our new rule sid: 8000638, 8000643, 8000644 has been shared on the <a href=\"https:\/\/community.emergingthreats.net\/t\/parallax-rat\/850\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Emerging Threats community page<\/a> and added to our repo.\u00a0<\/p>\n\n\n\n<p><strong>Mekotio rules boosted.<\/strong> Mekotio, mostly active in Latin America, is now easier to catch thanks to several new rules. Find sandbox samples under the <a href=\"https:\/\/app.any.run\/submissions\/#tag:mekotio\" target=\"_blank\" rel=\"noreferrer noopener\">#mekotio tag<\/a>. Our updates are also shared on the <a href=\"https:\/\/community.emergingthreats.net\/t\/mekotio\/895\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Emerging Threats community page<\/a>.\u00a0<\/p>\n\n\n\n<p><strong>New rule for DarkCloud stealer.<\/strong> We&#8217;ve pushed a proposed rule for DarkCloud stealer in the Emerging Threats community and implemented the STEALER [ANY.RUN] DarkCloud External IP Check. You can see the rule at work in this <a href=\"https:\/\/app.any.run\/tasks\/6c8cf072-e672-462d-99da-145f6430a475\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=task\" target=\"_blank\" rel=\"noreferrer noopener\">sample<\/a>.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up&nbsp;<\/h2>\n\n\n\n<p>Our team consistently monitors new threats to ensure that ANY.RUN&#8217;s detection capabilities remain at the forefront of the industry.&nbsp;&nbsp;<\/p>\n\n\n\n<p>ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Request a demo today and enjoy 14 days of free access to our Enterprise plan.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=releasenotes0823&amp;utm_content=trial\" target=\"_blank\" rel=\"noreferrer noopener\">Request demo \u2192<\/a>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome back to ANY.RUN\u2019s monthly update series where we keep you in the loop on the progress we\u2019ve made.\u00a0 Continuing from last month, the team at ANY.RUN has been hard at work. We&#8217;ve rolled out more features, ramped up our threat detection capabilities, and added new rules.&nbsp; Let&#8217;s dive into the details.&nbsp; Product updates&nbsp; New [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4099,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[57,34,56],"class_list":["post-5691","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-anyrun","tag-malware-analysis","tag-update"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Release Notes. New Config Extractors, Suricata Rules, and More<\/title>\n<meta name=\"description\" content=\"In August, ANY.RUN&#039;s added malware config extractors, improved existing Suricata network rules and contributed new rules to the community.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\n\t    \"@context\": \"https:\/\/schema.org\",\n\t    \"@graph\": [\n\t        {\n\t            \"@type\": \"Article\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/#article\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/\"\n\t            },\n\t            \"author\": {\n\t                \"name\": \"ANY.RUN\",\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"headline\": \"Release Notes: New Config Extractors, Suricata Rules, and More\u00a0\",\n\t            \"datePublished\": \"2023-08-31T07:27:51+00:00\",\n\t            \"dateModified\": \"2023-08-31T07:32:03+00:00\",\n\t            \"mainEntityOfPage\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/\"\n\t            },\n\t            \"wordCount\": 1420,\n\t            \"commentCount\": 0,\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"keywords\": [\n\t                \"ANYRUN\",\n\t                \"malware analysis\",\n\t                \"update\"\n\t            ],\n\t            \"articleSection\": [\n\t                \"Service Updates\"\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"CommentAction\",\n\t                    \"name\": \"Comment\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/#respond\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebPage\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/\",\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/\",\n\t            \"name\": \"Release Notes. New Config Extractors, Suricata Rules, and More\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"datePublished\": \"2023-08-31T07:27:51+00:00\",\n\t            \"dateModified\": \"2023-08-31T07:32:03+00:00\",\n\t            \"description\": \"In August, ANY.RUN's added malware config extractors, improved existing Suricata network rules and contributed new rules to the community.\",\n\t            \"breadcrumb\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/#breadcrumb\"\n\t            },\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"ReadAction\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"BreadcrumbList\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/#breadcrumb\",\n\t            \"itemListElement\": [\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 1,\n\t                    \"name\": \"Home\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 2,\n\t                    \"name\": \"Service Updates\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 3,\n\t                    \"name\": \"Release Notes: New Config Extractors, Suricata Rules, and More\u00a0\"\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebSite\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"description\": \"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"SearchAction\",\n\t                    \"target\": {\n\t                        \"@type\": \"EntryPoint\",\n\t                        \"urlTemplate\": \"https:\/\/any.run\/?s={search_term_string}\"\n\t                    },\n\t                    \"query-input\": \"required name=search_term_string\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Organization\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"logo\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"width\": 1,\n\t                \"height\": 1,\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"image\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"sameAs\": [\n\t                \"https:\/\/www.facebook.com\/www.any.run\/\",\n\t                \"https:\/\/twitter.com\/anyrun_app\",\n\t                \"https:\/\/www.linkedin.com\/company\/30692044\",\n\t                \"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"Person\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"image\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\n\t                \"contentUrl\": \"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"\n\t        }\n\t    ]\n\t}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Release Notes. New Config Extractors, Suricata Rules, and More","description":"In August, ANY.RUN's added malware config extractors, improved existing Suricata network rules and contributed new rules to the community.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Release Notes: New Config Extractors, Suricata Rules, and More\u00a0","datePublished":"2023-08-31T07:27:51+00:00","dateModified":"2023-08-31T07:32:03+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/"},"wordCount":1420,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware analysis","update"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/","url":"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/","name":"Release Notes. New Config Extractors, Suricata Rules, and More","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-08-31T07:27:51+00:00","dateModified":"2023-08-31T07:32:03+00:00","description":"In August, ANY.RUN's added malware config extractors, improved existing Suricata network rules and contributed new rules to the community.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-august-2023\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"Release Notes: New Config Extractors, Suricata Rules, and More\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5691"}],"collection":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=5691"}],"version-history":[{"count":3,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5691\/revisions"}],"predecessor-version":[{"id":5698,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5691\/revisions\/5698"}],"wp:featuredmedia":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/4099"}],"wp:attachment":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=5691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=5691"},{"taxonomy":"post_tag","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=5691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}