DiamotrixClipper

Hi, together with @g0njxa we found a loader(Sniffthem/Tnaket) and a clipper (Diamotrix)

here is the signature for the clipper:
URI:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Request a wallet for Diamotrix Clipper (URI)";
flow: established, to_server; http.method;
content: "POST";
http.uri;
content: "/api.php?{"; startswith;
pcre: "/[A-F0-9]{22}\}$/R"; 
http.header_names;
content: "Host|0d 0a|Pragma|0d 0a|Content-type|0d 0a|Connection|0d 0a|User-Agent|0d 0a 0d 0a|";
reference:md5,3c27e63a0c9d27904ff83662519c0d9d;
reference:url,community.emergingthreats.net/t/diamotrixclipper;
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family DiamotrixClipper, tag clipper, created_at 2024_08_30; classtype: command-and-control;
sid: 1; rev: 1;)

User-Agent:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Request a wallet for Diamotrix Clipper (User-Agent)";
flow: established, to_server; 
http.user_agent;
content: "Diamotrix"; bsize: 9; 
http.header;
content:!"Referer|0d 0a|";
reference: md5, 3c27e63a0c9d27904ff83662519c0d9d;
reference: url,community.emergingthreats.net/t/diamotrixclipper;
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 5902726, malware_family DiamotrixClipper, tag clipper, created_at 2024_08_30; classtype: command-and-control;
sid: 2; rev: 1;)

Best regards
Jane

We’ll get these in today, thanks @Jane0sint @g0njxa !!

Thanks @Jane0sint @g0njxa @ishaughnessy , these are:

• 2055657 - ET MALWARE [ANY.RUN] Diamotrix Clipper Wallet Request (User-Agent) (malware.rules)
• 2055658 - ET MALWARE [ANY.RUN] Diamotrix Clipper Wallet Request URI Observed (POST) (malware.rules)