PrivateLoader Signature

jt42 · May 18, 2024, 3:14pm

It looks like the POST is covered by 2049837 but the GET seems unique enough it might do okay too.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Private Loader Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/b"; startswith; fast_pattern; content:".php"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:!"Linux"; http.header_names; content:"|0d 0a|Connection|0d 0a|"; startswith; content:!"Referer|0d 0a|"; reference:md5,362697c95a1c9964af1ab23ddfc29b04; classtype:trojan-activity; sid:1; rev:1;)

sandbox: privateloader | ecfe6fb22dff160829a258b0dc35703846e8eb30bc16e1ce549321736b89b448 | Triage

ishaughnessy · May 20, 2024, 9:14pm

thanks for the tip @jt42 ! Here’s the sid that went out today.

2052789 - ET MALWARE Private Loader Related Activity (GET)

rgonzalez · May 20, 2024, 9:25pm

Thanks @jt42 @ishaughnessy !

Topic		Replies	Views
New Signatures: BunnyLoader Rule Signatures	1	239	March 18, 2024
Privateloader Rule Signatures	2	229	December 26, 2023
Inconsistency between the rules 2049660 & 2049661 and the family Rule Signatures	1	205	December 19, 2023
Gh0stRat Rule Signatures	3	540	December 28, 2023
PureLogs Stealer Rule Signatures	12	782	December 28, 2023

PrivateLoader Signature

Related Topics