alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; content:"GET"; http_method; content:"/download/ftp/grabftp"; http_uri; fast_pattern; content:".bin"; http_uri; pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U"; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Win64|3b 20|x64)"; http_user_agent; depth:62; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:3; metadata:created_at 2015_06_23, updated_at 2019_10_22;)

Added 2019-10-22 19:03:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; content:"GET"; http_method; content:"/download/ftp/grabftp"; http_uri; fast_pattern:9,12; content:".bin"; http_uri; pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b| Windows NT 6.1|3b 20|Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept|3A|"; http_header; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

Added 2018-09-13 19:51:23 UTC


Added 2018-09-13 18:00:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; content:"GET"; http_method; content:"/download/ftp/grabftp"; http_uri; fast_pattern:9,12; content:".bin"; http_uri; pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b| Windows NT 6.1|3b 20|Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept|3A|"; http_header; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

Added 2017-08-07 21:16:00 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; content:"GET"; http_method; content:"/download/ftp/grabftp"; http_uri; fast_pattern:9,12; content:".bin"; http_uri; pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b| Windows NT 6.1|3b 20|Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept|3A|"; http_header; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:2;)

Added 2015-06-23 14:09:43 UTC


Topic revision: r1 - 2019-10-22 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats