Hi,
Sig for recent APT29 GRAPELOADER. The first sig is what was seen in sandbox. Now the opening of the packet is Admin with |00| interspersed. I assume this is because the sandbox ran with Admin privileges. It may be worth getting the sample (from tria.ge below) and run it in a sandbox with a non-admin user and see what it sends if you can as I imagine a second one will be needed likely for U|00|s|e|00|r|00| or something once confirmed.
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE GRAPELOADER Russia APT29 Request”; flow:established,to_server; http.method; content:“POST”; nocase; content:“.php”; endswith; http.client_body; content:“A|00|d|00|m|00|i|00|n|00|; depth:10; http.client_body; content:”|00|.|00|e|00|x|00|e|00|“; distance:0; http.header; content:!“Referer|3A|”; nocase; pcre:”/\x00\x00[a-f0-9]{64}/smi"; classtype:trojan-activity; reference:url,Renewed APT29 Phishing Campaign Against European Diplomats - Check Point Research; sid:190001; rev:1;)
Combo of edge on Win7 flagged by Checkpoint blog but they also have used Edg/ instead of Edge.
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE WINELOADER Russia APT29 User-Agent”; flow:established,to_server; http.user_agent; content:“Mozilla/5.0 |28|Windows NT 6.1|3B|”; http.user_agent; content:“Edg/”; fast_pattern; classtype:trojan-activity; reference:url,Renewed APT29 Phishing Campaign Against European Diplomats - Check Point Research; sid:190002; rev:1;)
Kind Regards,
Kevin Ross