alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3; metadata:created_at 2015_09_24, former_category MALWARE, updated_at 2020_06_01;)

Added 2021-09-21 20:00:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3; metadata:created_at 2015_09_23, former_category MALWARE, updated_at 2020_06_01;)

Added 2020-08-05 19:11:40 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; metadata: former_category MALWARE; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3; metadata:created_at 2015_09_23, updated_at 2020_06_01;)

Added 2020-06-01 20:08:38 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; metadata: former_category MALWARE; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

Added 2019-09-19 19:26:29 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

Added 2018-09-13 19:51:44 UTC


Added 2018-09-13 18:00:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

Added 2017-08-07 21:16:35 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3;)

Added 2015-10-05 19:05:53 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 5"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3;)

Added 2015-09-24 18:55:09 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 5"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:".bmp"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|"; depth:64; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; content:".bmp|20|HTTP/1.1|0d 0a|User-"; fast_pattern:only; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:2;)

Added 2015-09-23 18:25:20 UTC



This topic: Main > 2021830
Topic revision: r1 - 2021-09-22 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats