alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"."; http_uri; content:"/en-us/"; depth:7; http_uri; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/UR"; content:!"/im/"; http_uri; http_header_names; content:!"Referer|0d 0a|"; http_start; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:9; metadata:created_at 2015_03_25, updated_at 2020_11_05;)

Added 2020-11-05 18:35:56 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"."; http_uri; content:"/en-us/"; depth:7; http_uri; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/UR"; content:!"/im/"; http_uri; http_header_names; content:!"Referer|0d 0a|"; http_start; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:9; metadata:created_at 2015_03_25, updated_at 2020_03_06;)

Added 2020-03-06 18:55:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/en-us/"; depth:7; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/en-us\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; content:!"/im/"; http_uri; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:8; metadata:created_at 2015_03_25, updated_at 2015_03_25;)

Added 2018-09-13 19:50:50 UTC


Added 2018-09-13 17:59:52 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/en-us/"; depth:7; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/en-us\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; content:!"/im/"; http_uri; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:8; metadata:created_at 2015_03_25, updated_at 2015_03_25;)

Added 2017-08-07 21:15:18 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/en-us/"; depth:7; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/en-us\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; content:!"/im/"; http_uri; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:8;)

Added 2017-07-19 17:15:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:1; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/[a-z]{2}(?:-[a-z]{2})?\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; content:!"/im/"; http_uri; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:7;)

Added 2015-05-26 18:58:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:1; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; content:!"/open/"; http_uri; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:6;)

Added 2015-05-19 17:17:28 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:1; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; content:!"Host|3a 20|ea.postmarkapp.com|0d 0a|"; http_header; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:5;)

Added 2015-05-15 19:25:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:1; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:4;)

Added 2015-03-27 19:40:04 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:1; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:3;)

Added 2015-03-25 20:08:30 UTC


Topic revision: r1 - 2020-11-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats