alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/ProtonBot Stealer Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?id="; http_uri; content:"-"; http_uri; distance:8; within:1; content:"-"; http_uri; distance:4; within:1; content:"-"; http_uri; distance:4; within:1; content:"-"; http_uri; distance:4; within:1; content:"&clip=get"; http_uri; distance:12; within:9; isdataat:!1,relative; content:"Proton Browser"; http_user_agent; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:trojan-activity; sid:2027383; rev:1; metadata:created_at 2019_05_28, malware_family ProtonBot?, updated_at 2019_05_28;)

Added 2019-05-28 19:09:21 UTC


Topic revision: r1 - 2019-05-28 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats