Hi, I have traffic for the Miner, along with it the control panel is used; the requests actually go to the panel. At least the address on the way matches what they offer me on Github
But there is one small problem: the phishing rule is triggered, apparently incorrectly set a flowbit?
ETPRO PHISHING Successful Dynamic DNS Hosted Generic Phish 2020-08-13 (duckdns.org)
2843999
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request";
flow: established, to_server;
http.method;
content: "POST";
http.uri;
content: ".php";
http.user_agent;
content: "cpp-httplib";http.request_body;
content: "remoteconfig"; depth: 1000;
content: "version"; depth: 1000;
content: "activewindow"; depth: 1000;
content: "runtime"; depth: 1000;
content: "type"; depth: 1000;
content: "pool"; depth: 1000;
content: "port"; depth: 1000;
content: "algo"; depth: 1000;
http.header_names;
content:!"Referer|0d 0a|";
reference: md5,cba68dc8a2c46d8b4b6cb945e095657a;
reference: url,app.any.run/tasks/3cdc58f1-33aa-4898-8a0a-25c1fb2c7034;
reference: url,x.com/Jane_0sint/status/1760278859960741917;
reference: url,community.emergingthreats.net/t/silentcryptominer;
metadata: created_at 2024_02_20;
classtype: coin-mining;
sid: 1; rev: 1;)
✧˚ ༘ ⋆。˚
Jane