Tracemap checkin

Found this malware on ANY.RUN. Here is the signature,

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"tracemap checkin"; http.method; content:"GET"; http.uri; content:"/api/traceman.php"; reference:url,; sid:2008009; rev:1;)

Thanks for the submission! We will take a look and see about getting it in for todays release.


It looks like we have a PRO sig 2852977 - ETPRO Win32/BeamWinHTTP CnC Activity M2 (GET) that covers this activity and close to what you have suggested. We will be moving that to the OPEN set today.