[Emerging-Sigs] QRAT

Jason Williams jwilliams at emergingthreats.net
Sun Feb 25 04:28:56 HST 2018


John,

Thanks very much! We will QA this for inclusion in the set tomorrow.

Best,

Jason

On Sun, Feb 25, 2018 at 6:52 AM, Attack Detection <
attackdetectionteam at gmail.com> wrote:

> Hello, we want to share a signature on Qrat.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "ET TROJAN
> [PTsecurity] QRat.Java.RAT (state_alive)";
> flow: established, to_server;
> content: "|01 01 00 11 7B 22 73 74 61 74 65 22 3A 22 61 6C 69 76 65 22 7D
> |";
> classtype: trojan-activity; metadata: id_345876,created_at 2017_9_22; sid:
> 10001957; rev: 2;)
>
> https://labsblog.f-secure.com/2016/06/07/qarallax-rat-
> spying-on-us-visa-applicants/
> https://www.trustwave.com/Resources/SpiderLabs-Blog/
> Quaverse-RAT--Remote-Access-as-a-Service/
>
> IOC:
> c468af6d2a89201a318b794400bf9110711f8c605331df9a1260cc0909c18f66
> 1961c167efc979228da820bcd254ba36f7958e09aa0240a5505c2c538ab29d92
> 3be94c202aad88d66c6cabcf8a8ae65c7b554a3d873c2271b6e9e975c407250b
> 98be6d40cd6132711d5ccb76778d11c08b3c0d6c104d6370a41d46d183ee17d5
> 74295ed12a921695c9e6e50042691dd6532d2218fa381bb25c30e3feb07d0895
> 2302579a8a5f90646b63de57c3841d222b77afd0d6b638b64441d6a449454846
> e1eb70a3788c17c336079aa13df9ce2827825676df761c2dca2c91f2b1a76321
>
> PCAP:
> https://www.dropbox.com/sh/fpzu25ad63j9nim/AABR-xEisz0FOU6V59D7hZ8Ia?dl=0
>
> Best regards,
> John.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180225/73c02c81/attachment.html>


More information about the Emerging-sigs mailing list