I found this malware on Any.Run.
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"RedLine Stealer beacon"; content:"Authorization"; content:"net|2e|tcp://"; pcre:"/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]{1,5}/"; pcre:"/[0-9a-f]{32}/"; reference:url,https://app.any.run/tasks/8c84dec3-b855-4e26-bdd2-639ce1de731e/; sid:2008004; rev:1;)
Hey Noah,
Thank you for submitting this rule to us, however I have a bit of good news and bad news:
The good news is that we already have coverage for the traffic
bad news is that currently its in the ETPRO ruleset.
We had three rules that fired on this sample:
2850027 TCP CnC net.tcp Init
2850286 TCP CnC Activity
2850353 TCP CnC - Id1Response
The good news is, we will be moving all three of these rules from ETPRO to the ETOPEN ruleset effective TODAY.
So the bad news is, we won’t be implementing this rule into the ETOPEN ruleset, but all ETOPEN users will now be able to benefit from the existing rules that were in the ETPRO ruleset.
Thank you again for sharing your findings, and please have a nice weekend.