546bf4fc684c5d1e17b204a28c795a414124335b6ef7cbadf52ae8fbadcb2a4a
This is an Anchor DNS variant, but also includes code for making ICMP echo requests.
The request uses a hardcoded 'hanc' string in the ICMP echo request, the last two bytes appear to be the command flag, similar to the DNS variant a command can be downloaded or even an entire file in small chunks.
Example ICMP packet:
<Ether dst=11:11:00:11:04:11 src=22:22:00:22:22:22 type=IPv4 |<IP version=4 ihl=5 tos=0x50 len=50 id=60659 flags= frag=0 ttl=53 proto=icmp chksum=0xa13d src=9.40.15.7 dst=192.168.100.200 |<ICMP type=echo-reply code=0 chksum=0xf228 id=0x1 seq=0x4 |<Raw load='hanc3496b937cead1870\x08\x00' |>>>>
Suricata rule:
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Anchor ICMP"; itype:8; content:"hanc"; depth:4; classtype:trojan-activity; sid:9000010; rev:4;)