[Emerging-Sigs] Info Stealer signature

Tushar Bhatia tushar1988 at gmail.com
Thu Oct 31 23:37:07 HDT 2019


Hi

Please consider another sig I wrote during Suricon 2019 Threat Hunting
Training - for an unknown info stealer mentioned in
https://twitter.com/James_inthe_box/status/1187689326353600512

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET MALWARE Info
Stealer Traffic Detected"; flow: established, to_server; content: "POST";
http_method; content: "/api.php"; http_uri; content: !"Accept";
http_header; content: !"Referer"; http_header; content:
"logs=eyAibG9nIjoi"; http_client_body; depth: 17; fast_pattern;
classtype:trojan-activity; metadata: protocols http, protocols tcp, malware
post-infection, infected src_ip, hostile dest_ip, attack_target client;
reference:md5, fb00643ca89ccde719775787fd1b9d44; sid:100001; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191101/4cc1c5f5/attachment.html>


More information about the Emerging-sigs mailing list