Hi, having decrypted and detonated this sample that was received at the first stage of delivery,
I noticed some features of http that can be used for detection. For example, the same user agent, lifetime and what is interesting is the use of a capital letter in the content description:
I did not hardcode the port since there is also a request for 8080.
The body of the request now looks slightly different due to the use of substitution encryption and I always had 102 bytes, the first 32 of which are MD5 from system information. Previously this was an ID parameter. You can also use it at your discretion.
The proposed rule is as follows:
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] DarkGate Check-In HTTP header"; flow: established, to_server; http.method; content: "POST"; http.header; content: "Keep-Alive: 300"; distance: 0; content: "Connection: keep-alive"; distance: 0; content: "Content-Type: Application/octet-stream"; distance: 0; content: "Content-Length: "; byte_test: 0, >, 40, 0, relative, string, dec; byte_test: 0, <, 750, 0, relative, string, dec; http.header_names; content: "|0d0a|Host|0d 0a|Keep-Alive|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a 0d 0a|"; startswith; http.user_agent; content: "Mozilla/4.0 (compatible|3b| Synapse)"; bsize: 33; reference: md5,4d26c05426247f7a4f784967c7b0faa2; reference: url,app.any.run/tasks/fb92bcf3-3413-4bca-807a-fb002ac48b18; classtype: command-and-control; sid: 1; rev: 1;)
A colleague just sent me this request, it contains 46 bytes, and of course it matches only the first 32 bytes of the regular expression.
After reviewing the research, I dare to suggest much more content in the data section.
I hope that you will have more traffic to prevent unnecessary checks.
Cheers, Jane (⌐⊙_⊙)