[Emerging-Sigs] ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin

Arvind Kumar arvind.kumar12 at gmail.com
Thu Dec 21 19:05:35 HST 2017


Please find the attached signature and pcap file for your reference

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN
Win32/Backdoor.Agent.qweydh CnC Checkin";  flow:established,to_server;
content:"GET";  http_method; content:"/api/up.php|20|HTTP|2F|1|2E|1|0d
0A|Host|3A|";  offset:4; depth:30;  fast_pattern;
content!:"Content-Type:";  http_header;  content:!"Accept:";  http_header;
content:!"User-Agent:"; http_header; metadata: former_category TROJAN;
reference:md5,5dcc10711305c0bd4c8290eaae660ef3;
classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_12_22,
malware_family Agent, performance_impact Moderate, updated_at 2017_12_22; )



Warm regards

Arvind Kumar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171222/48a00b26/attachment-0001.html>
-------------- next part --------------
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin";  flow:established,to_server;  content:"GET";  http_method; content:"/api/up.php|20|HTTP|2F|1|2E|1|0d 0A|Host|3A|";  offset:4; depth:30;  fast_pattern; content!:"Content-Type:";  http_header;  content:!"Accept:";  http_header; content:!"User-Agent:"; http_header; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3;  classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, malware_family Agent, performance_impact Moderate, updated_at 2017_12_22; )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 5dcc10711305c0bd4c8290eaae660ef3.pcap
Type: application/octet-stream
Size: 42538 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171222/48a00b26/attachment-0001.obj>


More information about the Emerging-sigs mailing list