SIG: ET MALWARE Possible Gremlin InfoStealer Data Upload

kevross33 · April 29, 2025, 10:46am

Packet shown in the referenced blog.

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE Possible Gremlin InfoStealer Data Upload”; flow:established,to_server; content:“POST”; http_method; urilen:10; content:“/index.php”; http_uri; content:“filename=”; http_header; content:“.zip”; http_header; content:“PK”; http_client_body; depth:2; pcre:“/filename=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}.zip/H”; classtype:trojan-activity; reference:url,Gremlin Stealer: New Stealer on Sale in Underground Forum; sid:155001; rev:1;)

Kind regards,
Kevin Ross

ishaughnessy · April 29, 2025, 4:11pm

thanks for sharing @kevross33 ! I’ll get this in today and share the sid once it goes live.

Thanks,
Isaac

ishaughnessy · April 29, 2025, 8:57pm

2061959 - ET MALWARE Gremlin Stealer CnC Exfil (POST)
2061960 - ET MALWARE Gremlin Stealer CnC Successful Exfil Confirmation

Topic		Replies	Views
SIG: ET MALWARE Possible Mints.Loader GET Request Rule Signatures	2	21	April 29, 2025
New Signatures: BunnyLoader Rule Signatures	1	258	March 18, 2024
SIG: ET TROJAN Interlock.RansomGroup RAT Initial Callback Rule Signatures	1	66	April 22, 2025
SIGS: ET TROJAN TinyTurlaNG Turla APT Rule Signatures	2	273	February 16, 2024
SIG: ET MOBILE_MALWARE Android/InfamousChisel.InfoStealer APT28/SANDWORM Data Exfiltration Rule Signatures	2	349	September 1, 2023

SIG: ET MALWARE Possible Gremlin InfoStealer Data Upload

Related topics