[Emerging-Sigs] Info Stealer signature

Jason Williams jwilliams at emergingthreats.net
Fri Nov 1 06:35:53 HDT 2019


Tushar,

Thanks very much for passing the rule over! We actually have something
similar for this in the ETPRO set which we will update and move to open.

Here is the rule as it will be updated for Suricata 5.0

*alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE
Win32/CryptInject.BE!MTB Stealer CnC Checkin"; flow:established,to_server; *
*http.method; content:"POST"; http.uri; content:".php"; endswith;
http.request_body; content:"logs=ey"; startswith; fast_pattern;
isdataat:10000,relative; *
*http_header_names; content:!"Referer";
reference:md5,644b45001c0e0af1c0a208ffad79e316;
classtype:command-and-control; sid:2838484; rev:3;)*



On Fri, Nov 1, 2019 at 2:37 AM Tushar Bhatia <tushar1988 at gmail.com> wrote:

> Hi
>
> Please consider another sig I wrote during Suricon 2019 Threat Hunting
> Training - for an unknown info stealer mentioned in
> https://twitter.com/James_inthe_box/status/1187689326353600512
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET MALWARE Info
> Stealer Traffic Detected"; flow: established, to_server; content: "POST";
> http_method; content: "/api.php"; http_uri; content: !"Accept";
> http_header; content: !"Referer"; http_header; content:
> "logs=eyAibG9nIjoi"; http_client_body; depth: 17; fast_pattern;
> classtype:trojan-activity; metadata: protocols http, protocols tcp, malware
> post-infection, infected src_ip, hostile dest_ip, attack_target client;
> reference:md5, fb00643ca89ccde719775787fd1b9d44; sid:100001; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191101/f660f355/attachment-0001.html>


More information about the Emerging-sigs mailing list