ET MALWARE Generic Request to gate.php Dotted-Quad - Rule ID 2022986

hi team Emerging Threats…

hope this email finds you well…

appreciate if can advise the URL on which this rule is built on as i need to understand its CVSS and gain more insight into this signature…

also can if possible can a URL be uploaded with all new malware signature on the site that the analysis is done off so we can verify and built insight of the work already done…

as a simple good search on the signature of ET MALWARE Rule ID 2022986 is very vague and provides little insight into packets whether it s a false positive or a geniue impact…

Thanks for all the hard work team Emerging threats…

Appreciate the effort and hardwork done so far…

God Bless

Regards

1 Like

Hi,

sid 2022986 as the name implies is a generic signature that will fire when a request (GET, POST, HEAD, etc) is seen to a dotted quad IP address. A number of different malware families over the years have used gate[.]php as their endpoint. Some reference hashes (I will get some of these added to the signature for tomorrows release) that are available on VirusTotal that have pcap files available:

de4961b8c4fb7e3bd5ea9f1df2b5d182 (exe) - ransomware
0680ff9251b686e9025b36c577163f01 (exe) - pony downloader

are two of the most common we see fire this signature among others. A helpful search using VirusTotal for ET Open signatures:
https://www.virustotal.com/gui/search/crowdsourced_ids%253A2022986/files
(this specific search is looking for samples that fire sid 2022986 but any ET Open sid can be used)

JT

2 Likes