[Emerging-Sigs] ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin

Jack Mott jmott at emergingthreats.net
Fri Dec 22 05:05:09 HST 2017


Hi Arvind,

Thanks for sending this in-- looks like theres some more network activity
happening around these requests (from other samples) so we can get a couple
more sigs in for it. Thanks again for the share!

2301faf17fb7854328e918df5f7b9645
4265404b243932d74e85e45ed210d9bd

Best,

Jack

On Thu, Dec 21, 2017 at 10:05 PM, Arvind Kumar <arvind.kumar12 at gmail.com>
wrote:

> Please find the attached signature and pcap file for your reference
>
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN
> Win32/Backdoor.Agent.qweydh CnC Checkin";  flow:established,to_server;
> content:"GET";  http_method; content:"/api/up.php|20|HTTP|2F|1|2E|1|0d
> 0A|Host|3A|";  offset:4; depth:30;  fast_pattern;
> content!:"Content-Type:";  http_header;  content:!"Accept:";  http_header;
> content:!"User-Agent:"; http_header; metadata: former_category TROJAN;
> reference:md5,5dcc10711305c0bd4c8290eaae660ef3;
> classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
> deployment Perimeter, signature_severity Major, created_at 2017_12_22,
> malware_family Agent, performance_impact Moderate, updated_at 2017_12_22; )
>
>
>
> Warm regards
>
> Arvind Kumar
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171222/a3a43c93/attachment.html>


More information about the Emerging-sigs mailing list