alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.TRM Data Exfil (sysinfo)"; flow:established,to_server; content:"POST"; http_method; content:"dkv="; http_cookie; depth:4; content:"|3b|YSC="; http_cookie; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/C"; content:"DQpIb3N0IE5hbWU6"; http_client_body; depth:16; fast_pattern; http_header_names; content:!"Referer"; content:!"Content-Type"; content:"|0d 0a|Cookie|0d 0a|"; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; classtype:trojan-activity; sid:2029855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_31;)

Added 2020-12-31 17:54:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.TRM Data Exfil (sysinfo)"; flow:established,to_server; content:"POST"; http_method; content:"dkv="; http_cookie; depth:4; content:"|3b|YSC="; http_cookie; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/C"; content:"DQpIb3N0IE5hbWU6"; http_client_body; depth:16; fast_pattern; http_header_names; content:!"Referer"; content:!"Content-Type"; content:"|0d 0a|Cookie|0d 0a|"; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; classtype:trojan-activity; sid:2029855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_09;)

Added 2020-08-05 19:17:56 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.TRM Data Exfil (sysinfo)"; flow:established,to_server; content:"POST"; http_method; content:"dkv="; http_cookie; depth:4; content:"|3b|YSC="; http_cookie; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/C"; content:"DQpIb3N0IE5hbWU6"; http_client_body; depth:16; fast_pattern; http_header_names; content:!"Referer"; content:!"Content-Type"; content:"|0d 0a|Cookie|0d 0a|"; metadata: former_category MALWARE; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; classtype:trojan-activity; sid:2029855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2020_04_09, updated_at 2020_04_09;)

Added 2020-04-09 18:49:51 UTC


Topic revision: r1 - 2020-12-31 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats