alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT? HTTP Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:>100; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/U"; http_header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a 0d 0a|"; depth:60; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; flowbits:set,ET.Anunanak.HTTP.2; metadata: former_category TROJAN; reference:url,www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf; reference:md5,cd22fa7c9d9e61b4aeac6acd10790d10; reference:md5,82332d2a0cf8330f8de608865508713d; classtype:trojan-activity; sid:2020029; rev:3; metadata:created_at 2014_12_22, updated_at 2019_07_31;)

Added 2019-07-31 18:45:26 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT? HTTP Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:>100; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern:only; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/U"; pcre:"/^Host\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{4}\r\nContent-Type\x3a\x20application\/x-www-form-urlencoded\r\n(?:\r\n)?$/Hmi"; flowbits:set,ET.Anunanak.HTTP.2; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020029; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

Added 2018-09-13 19:50:11 UTC


Added 2018-09-13 17:59:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT? HTTP Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:>100; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern:only; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/U"; pcre:"/^Host\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{4}\r\nContent-Type\x3a\x20application\/x-www-form-urlencoded\r\n(?:\r\n)?$/Hmi"; flowbits:set,ET.Anunanak.HTTP.2; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020029; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

Added 2017-08-07 21:14:25 UTC


Topic revision: r1 - 2019-07-31 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats