Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- alert tcp any any -> any $HTTP_PORTS (msg:"Possible New Hancitor Checkin"; flow:established,to_server; content:"POST"; http_method; content:"VER="; http_client_body; content:"&ID="; http_client_body; depth:10; content:"&IP="; http_client_body; reference:md5,8404704c682e0078620d512f66e8a28b; classtype:trojan-activity; sid:20166297; rev:1; metadata:created_at 2017_09_08;)
- rule Possible_new_hancitor_bin
- {
- meta:
- description = "Possible new hancitor"
- author = "James_inthe_box"
- reference = "8e13ba3de370489b2ef72f4c0fe2d6986646783995f6331230d8a14ce1965400"
- date = "2019/07"
- maltype = "Loader"
- strings:
- $string1 = "%02X"
- $string2 = "VER=1&ID=%I64u&IP=%s"
- $string3 = "&DATA="
- $string4 = "\\%hs" wide
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 100KB
- }
- rule Possible_new_hancitor_mem
- {
- meta:
- description = "Possible new hancitor"
- author = "James_inthe_box"
- reference = "8e13ba3de370489b2ef72f4c0fe2d6986646783995f6331230d8a14ce1965400"
- date = "2019/07"
- maltype = "Loader"
- strings:
- $string1 = "%02X"
- $string2 = "VER=1&ID=%I64u&IP=%s"
- $string3 = "&DATA="
- $string4 = "\\%hs" wide
- condition:
- all of ($string*) and filesize > 100KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement