alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PLATINUM Steganographic HTTP Response Page Inbound"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|3c 21|--1234567890--"; fast_pattern; content:"|3c|td|20|bgcolor=|22|"; distance:0; content:"|3c|td|20|align=|22|"; distance:0; content:"|20 20 20 20 09|"; distance:0; content:"|20 20 20 20|"; distance:0; content:"--1234567890--|3e|"; distance:0; metadata: former_category TROJAN; reference:url,; classtype:trojan-activity; sid:2027434; rev:2; metadata:tag T1001, tag data_obfuscation, tag T1140, tag deobfuscate_decode_payload, created_at 2019_06_05, malware_family PLATINUM, updated_at 2019_06_05;)

Added 2019-06-05 17:46:25 UTC

Topic revision: r1 - 2019-06-05 - TWikiGuest
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats