Tracemap checkin

Found this malware on ANY.RUN. Here is the signature,

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"tracemap checkin"; http.method; content:"GET"; http.uri; content:"/api/traceman.php"; reference:url,https://app.any.run/tasks/ae8b24fa-5f95-4535-a2fd-e2d434dd927c/; sid:2008009; rev:1;)

Thanks for the submission! We will take a look and see about getting it in for todays release.

JT

It looks like we have a PRO sig 2852977 - ETPRO Win32/BeamWinHTTP CnC Activity M2 (GET) that covers this activity and close to what you have suggested. We will be moving that to the OPEN set today.

2 Likes