[Emerging-Sigs] New Agenttesla email exfil sig

James Lay jlay at slave-tothe-box.net
Mon Nov 18 11:34:54 HST 2019


Pimped out thanks.

On 2019-11-18 14:28, Jack Mott wrote:
> Thanks James!
> 
> We have something for this going out today but I’ll mod to OPEN.
> 
> Best,
> 
> Jack
> 
> On Mon, Nov 18, 2019 at 14:27 James Lay <jlay at slave-tothe-box.net>
> wrote:
> 
>> Cause these clowns keep modding this junk:
>> 
>> alert tcp any any -> any 25,465,587  (msg:"TROJAN: New AgentTesla
>> Email
>> Exfil"; flow:established,to_server; content:"Subject:";
>> content:"|2f|";
>> within:50; content:"|3c|br|3e|User Name:";
>> content:"|3c|br|3e|OSFullName:"; classtype:trojan-activity;
>> sid:20166308; rev:1; metadata:created_at 2019_11_16;)
>> 
>> James
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net


More information about the Emerging-sigs mailing list