API tools faq
paste
Advertisement
James_inthe_box

Keylogger - HTTPTool snort suricata yara

James_inthe_box
Mar 14th, 2020
13,704
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.18 KB | None | 0 0
raw download clone embed print report
  1. HTTPTool snort / suricata:
  2.  
  3. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTPTool User-Agent"; flow:established,to_server; content:"User-Agent|3a| HTTPTool|2f|"; http_header; reference:md5,6526946c39fd53dd813a8a206446e491; classtype:trojan-activity; sid:20166318; rev:1; metadata:created_at 2020_03_14;)
  4.  
  5. yara
  6. rule unknownkeylogger3_bin
  7. {
  8. meta:
  9. description = "unknownkeylogger3"
  10. author = "James_inthe_box"
  11. reference = "https://app.any.run/tasks/e29ad71c-c2ce-44b6-bf2a-96bad4ad319a"
  12. date = "2020/3"
  13. maltype = "Keylogger"
  14.  
  15. strings:
  16. $string1 = "Mngr.dll" ascii wide
  17. $string2 = "MyFunction" ascii wide
  18. $string3 = "e_tr10_" ascii wide
  19. $string4 = "%s%03u_%01u" ascii wide
  20.  
  21. condition:
  22. uint16(0) == 0x5A4D and 3 of ($string*) and filesize < 800KB
  23. }
  24.  
  25. rule unknownkeylogger3_mem
  26. {
  27. meta:
  28. description = "unknownkeylogger3"
  29. author = "James_inthe_box"
  30. reference = "https://app.any.run/tasks/e29ad71c-c2ce-44b6-bf2a-96bad4ad319a"
  31. date = "2020/3"
  32. maltype = "Keylogger"
  33.  
  34. strings:
  35. $string1 = "Mngr.dll" ascii wide
  36. $string2 = "MyFunction" ascii wide
  37. $string3 = "e_tr10_" ascii wide
  38. $string4 = "%s%03u_%01u" ascii wide
  39.  
  40. condition:
  41. 3 of ($string*) and filesize > 800KB
  42. }
  43.  
  44. rule unknownkeylogger3_alt_mem
  45. {
  46. meta:
  47. description = "unknownkeylogger3"
  48. author = "James_inthe_box"
  49. reference = "https://app.any.run/tasks/e29ad71c-c2ce-44b6-bf2a-96bad4ad319a"
  50. date = "2020/3"
  51. maltype = "Keylogger"
  52.  
  53. strings:
  54. $string1 = "?password=" ascii wide
  55. $string2 = "&directory=" ascii wide
  56. $string3 = "&command=" ascii wide
  57.  
  58. condition:
  59. all of ($string*) and filesize > 800KB
  60. }
  61.  
  62.  
  63. rule httptool_mem
  64. {
  65. meta:
  66. description = "httptool"
  67. author = "James_inthe_box"
  68. reference = "https://app.any.run/tasks/e29ad71c-c2ce-44b6-bf2a-96bad4ad319a"
  69. date = "2020/3"
  70. maltype = "tool"
  71.  
  72. strings:
  73. $string1 = "HTTPTool/" ascii wide
  74.  
  75. condition:
  76. all of ($string*)
  77. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!