[Emerging-Sigs] L4L Stealer Sigs

Jack Mott jmott at emergingthreats.net
Thu Oct 31 22:35:06 HDT 2019


Thanks Travis,

Looks like these went in yesterday's release.

Best,

Jack

On Thu, Oct 31, 2019 at 4:51 PM Travis Green <travis at travisgreen.net> wrote:

> All, We also sig'd up a CN language MSIL Stealer during the Suricon 2019
> Threat Hunting class in beautiful Amsterdam:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.L4L
> Stealer IP Check"; flow:established,to_server; content:"GET"; http_method;
> content:".php?action=getIP"; http_uri; endswith; http_header_names;
> content:!"User-Agent"; content:!"Referer"; content:!"Accept";
> reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:trojan-activity;
> sid:1003930; rev:1;)
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.L4L
> Stealer Screenshot Exfiltration"; flow:established,to_server;
> content:"POST"; http_method; content:".php?action=upload&host="; http_uri;
> content:"@"; http_uri; distance:0; http_header_names;
> content:!"User-Agent"; content:!"Referer"; content:!"Accept"; pkt_data;
> content:"filename=|22|screenshot_"; http_client_body; content:".jpeg|22|";
> distance:0; http_client_body;
> reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:trojan-activity;
> sid:1003931; rev:1;)
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.L4L
> Stealer Systeminfo Exfiltration"; flow:established,to_server;
> content:"POST"; http_method; content:".php?action=upload&host="; http_uri;
> content:"@"; http_uri; distance:0; http_header_names;
> content:!"User-Agent"; content:!"Referer"; content:!"Accept"; pkt_data;
> content:"filename=|22|system.info|22|"; http_client_body;
> reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:trojan-activity;
> sid:1003932; rev:1;)
>
> Suggestions/improvements/comments welcomed,
> -T
>
> --
> travisgreen.net
> PGP key <http://travisgreen.net/assets/travis@travisgreen.net.asc>
> calendly.com/travisgreen
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191101/343fb0f3/attachment.html>


More information about the Emerging-sigs mailing list