[Emerging-Sigs] QRAT

Attack Detection attackdetectionteam at gmail.com
Sun Feb 25 02:52:55 HST 2018


Hello, we want to share a signature on Qrat.

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "ET TROJAN
[PTsecurity] QRat.Java.RAT (state_alive)";
flow: established, to_server;
content: "|01 01 00 11 7B 22 73 74 61 74 65 22 3A 22 61 6C 69 76 65 22 7D
|";
classtype: trojan-activity; metadata: id_345876,created_at 2017_9_22; sid:
10001957; rev: 2;)

https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/

IOC:
c468af6d2a89201a318b794400bf9110711f8c605331df9a1260cc0909c18f66
1961c167efc979228da820bcd254ba36f7958e09aa0240a5505c2c538ab29d92
3be94c202aad88d66c6cabcf8a8ae65c7b554a3d873c2271b6e9e975c407250b
98be6d40cd6132711d5ccb76778d11c08b3c0d6c104d6370a41d46d183ee17d5
74295ed12a921695c9e6e50042691dd6532d2218fa381bb25c30e3feb07d0895
2302579a8a5f90646b63de57c3841d222b77afd0d6b638b64441d6a449454846
e1eb70a3788c17c336079aa13df9ce2827825676df761c2dca2c91f2b1a76321

PCAP:
https://www.dropbox.com/sh/fpzu25ad63j9nim/AABR-xEisz0FOU6V59D7hZ8Ia?dl=0

Best regards,
John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180225/06260ab4/attachment.html>


More information about the Emerging-sigs mailing list