alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata:) metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025392; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_03_06;)

Added 2018-04-10 17:13:27 UTC


alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|01 00 ed 7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025392; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_03_06;)

Added 2018-03-06 17:52:12 UTC


alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|01 00 ed 7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025392; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, updated_at 2018_02_26;)

Added 2018-02-26 16:24:30 UTC


Topic revision: r1 - 2018-04-10 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats