Chasebot

1. alert tcp any any -> any $HTTP_PORTS (msg:"ChaseBot Detected"; flow:to_server,established; content:"btc=ChaseLogBAD"; http_uri; depth:30; classtype:trojan-activity; sid:20166289; rev:1; metadata:created_at 2019_03_24;)
2.  
3. rule Chasebot_bin
4. {
5. meta:
6. description = "Chasebot Brute Forcer"
7. author = "James_inthe_box"
8. reference = "https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e"
9. date = "2019/03"
10. maltype = "Bruteforce"
11.  
12. strings:
13. $string1 = "&auth_passwd=" wide
14. $string2 = "&auth_passwd_org" wide
15. $string3 = "temp.txt" wide
16. $string4 = "get_Cookies"
17. $string5 = "set_Cookies"
18. $string6 = "DownloadFile"
19.  
20. condition:
21. uint16(0) == 0x5A4D and all of ($string*) and filesize < 500KB
22. }
23.  
24. rule Chasebot_mem
25. {
26. meta:
27. description = "Chasebot Brute Forcer"
28. author = "James_inthe_box"
29. reference = "https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e"
30. date = "2019/03"
31. maltype = "Bruteforce"
32.  
33. strings:
34. $string1 = "&auth_passwd=" wide
35. $string2 = "&auth_passwd_org" wide
36. $string3 = "temp.txt" wide
37. $string4 = "get_Cookies"
38. $string5 = "set_Cookies"
39. $string6 = "DownloadFile"
40.  
41. condition:
42. all of ($string*) and filesize > 500KB
43. }