alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN FormerFirstRAT? HTTP POST CnC? Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322)"; http_user_agent; depth:69; isdataat:!1,relative; fast_pattern; content:"|3a|443|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category MALWARE; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020926; rev:4; metadata:created_at 2015_04_15, updated_at 2019_10_11;)

Added 2019-10-11 19:56:38 UTC


alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN FormerFirstRAT? HTTP POST CnC? Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| .NET CLR 1.1.4322)|0d 0a|"; http_header; fast_pattern:63,20; content:"|3a|443|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category MALWARE; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020926; rev:3; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

Added 2019-09-19 19:26:19 UTC


alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN FormerFirstRAT? HTTP POST CnC? Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| .NET CLR 1.1.4322)|0d 0a|"; http_header; fast_pattern:63,20; content:"|3a|443|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020926; rev:3; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

Added 2018-09-13 19:51:02 UTC


Added 2018-09-13 17:59:58 UTC


alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN FormerFirstRAT? HTTP POST CnC? Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| .NET CLR 1.1.4322)|0d 0a|"; http_header; fast_pattern:63,20; content:"|3a|443|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020926; rev:3; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

Added 2017-08-07 21:15:32 UTC


alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN FormerFirstRAT? HTTP POST CnC? Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| .NET CLR 1.1.4322)|0d 0a|"; http_header; fast_pattern:63,20; content:"|3a|443|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020926; rev:3;)

Added 2015-04-15 21:01:48 UTC


Topic revision: r1 - 2019-10-11 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats