Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- alert tcp any any -> any $HTTP_PORTS (msg:"ChaseBot Detected"; flow:to_server,established; content:"btc=ChaseLogBAD"; http_uri; depth:30; classtype:trojan-activity; sid:20166289; rev:1; metadata:created_at 2019_03_24;)
- rule Chasebot_bin
- {
- meta:
- description = "Chasebot Brute Forcer"
- author = "James_inthe_box"
- reference = "https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e"
- date = "2019/03"
- maltype = "Bruteforce"
- strings:
- $string1 = "&auth_passwd=" wide
- $string2 = "&auth_passwd_org" wide
- $string3 = "temp.txt" wide
- $string4 = "get_Cookies"
- $string5 = "set_Cookies"
- $string6 = "DownloadFile"
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 500KB
- }
- rule Chasebot_mem
- {
- meta:
- description = "Chasebot Brute Forcer"
- author = "James_inthe_box"
- reference = "https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e"
- date = "2019/03"
- maltype = "Bruteforce"
- strings:
- $string1 = "&auth_passwd=" wide
- $string2 = "&auth_passwd_org" wide
- $string3 = "temp.txt" wide
- $string4 = "get_Cookies"
- $string5 = "set_Cookies"
- $string6 = "DownloadFile"
- condition:
- all of ($string*) and filesize > 500KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement