alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORT (msg:“ET TROJAN BunnyLoader Initial Connection”; flow:established,to_server; content:“GET”; http_method; content:“/gate.php?ipaddress=”; http_uri; content:“&hostname=”; http_uri; content:“&version=”; http_uri; content:“&system=”; http_uri; content:“&privileges=”; http_uri; content:“&arch=”; http_uri; content:“&antivirus=”; http_uri; content"&enc_key="; http_uri; classtype:trojan-activity; reference:url,Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled; sid:155111; rev:1;)
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORT (msg:“ET TROJAN BunnyLoader Stealer Module Activity”; flow:established,to_server; content:“POST”; http_method; content:“/gate.php”; http_uri; content:“User-Agent|3A| Uploader|0D 0A|”; http_header; classtype:trojan-activity; reference:url,Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled; sid:155112; rev:1;)
Kind Regards,
Kevin Ross