Rules
rulesptopen-malware.rules
54.86 KBModified 2024-11-18 13:26
1alert udp $HOME_NET any -> $HOME_NET 138 (msg: "SPYWARE [PTsecurity] Buhtrap"; content: "|5C|MAILSLOT|5C|"; content: !"|00|"; within: 16; pcre: "/^[0-9A-F]{16,32}\x00/R"; pcre: "/[\x0e-\x19\x80-\xff]{5}/R"; threshold: type both, track by_src, count 4, seconds 3600; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003304; rev: 4;)
2
3alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap"; flow: established, to_server, no_stream; content: "SMB"; content: "|0B 00|"; distance: 8; within: 2; content: "|00 00 18 00 11 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; distance: 0; pcre: "/([0-9A-F]\x00){16,32}$/R"; threshold: type threshold, track by_src, count 8, seconds 2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003305; rev: 4;)
4
5alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap FB set SMB.TreeConnect.ADMIN"; flow: established, to_server, no_stream; content: "SMB"; content: "|03 00|"; distance: 8; within: 2; content: "|5c 00 41 00 44 00 4d 00 49 00 4e 00 24 00|"; distance: 48; isdataat: !1, relative; flowbits: noalert; flowbits: set, SMB.TreeConnect.ADMIN; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003306; rev: 4;)
6
7alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap FB set Pegasus.arch_probe"; flow: established, to_server, no_stream; content: "SMB"; content: "|05 00|"; distance: 8; within: 2; content: "r|00|e|00|g|00|e|00|d|00|i|00|t|00|.|00|e|00|x|00|e|00|"; nocase; distance: 96; flowbits: noalert; flowbits: isset, SMB.TreeConnect.ADMIN; flowbits: set, Pegasus.arch_probe; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003307; rev: 4;)
8
9alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap FB set Pegasus.arch_probe"; flow: established, to_server, no_stream; content: "SMB"; content: "|05 00|"; distance: 8; within: 2; content: "n|00|o|00|t|00|e|00|p|00|a|00|d|00|.|00|e|00|x|00|e|00|"; nocase; distance: 96; flowbits: noalert; flowbits: isset, SMB.TreeConnect.ADMIN; flowbits: set, Pegasus.arch_probe; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003308; rev: 4;)
10
11alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap"; flow: established, to_server, no_stream; content: "SMB"; content: "|05 00|"; distance: 8; within: 2; content: ".|00|e|00|x|00|e|00|"; nocase; distance: 96; pcre: "/([0-9A-F]\x00){8,15}\x2e\x00e\x00x\x00e\x00/"; flowbits: isset, Pegasus.arch_probe; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003309; rev: 3;)
12
13alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] Buhtrap/Ratopak"; flow: established, to_server; content: "POST"; http_method; content: ".php"; http_uri; content: "Cache-Control: no-cache"; http_header; content: "Connection: Keep-Alive"; http_header; distance: 0; content: "Pragma: no-cache"; http_header; distance: 0; content: "Content-Type: multipart/form-data|3b| boundary="; http_header; distance: 0; content: "User-Agent: "; http_header; distance: 0; content: "Content-Length: "; http_header; distance: 0; content: "Host: "; http_header; distance: 0; content: !"Referer|3a|"; http_header; content: "Content-Disposition: form-data|3b| name=|22|"; http_client_body; fast_pattern; pcre: "/^(?:[a-z]){4,32}\x22/RP"; content: "Content-Type: application/octet-stream"; http_client_body; within: 100; pcre: "/(?:[\x0e-\x19]|[\x80-\xff]){4}/RP"; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003294; rev: 5;)
14
15alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg: "SPYWARE [PTsecurity] Buhtrap"; flow: established, to_server; content: "POST"; http_method; content: ".php"; http_uri; content: "Content-Type: multipart/form-data|3b| boundary="; http_header; pcre: "/^[0-9a-f]{12}\r\n/RH"; content: "Content-Type: application/octet-stream"; http_client_body; content: "Content-Disposition: form-data|3b| name=|22|"; http_client_body; pcre: "/^[a-z]{8,14}\x22\r\nContent-Type: application/octet-stream\r\n\r\n(.{192}){1,2}\r\n--[0-9a-z]{12}--/RPs"; pcre: "/[\x0e-\x19\x80-\xff]{4}/P"; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003298; rev: 4;)
16
17alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BOTNET [PTsecurity] Neutrino Checkin"; flow: established, to_server; content: "msg=Y21kJ"; http_client_body; depth: 9; fast_pattern; reference: url, https://www.hybrid-analysis.com/sample/1035a5c5d73573788820d22539403da6165e6a2bc60800b7cdcfc5d1672cd6b8/?environmentId=100; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10002712; rev: 7;)
18
19alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Orcus"; flow: established, to_client; content: "|308201c730820130a00302010202|"; depth: 600; content: "|164F72637573536572766572436572746966696361746530|"; within: 600; fast_pattern; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003868; rev: 6;)
20
21alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BOTNET [PTsecurity] AESDDoS/Dofloo"; flow: established, to_server; stream_size: server, =, 1; content: "VERSONEX"; depth: 60; reference: url, https://app.any.run/tasks/81fdc653-6ce1-4512-9378-cfcda4495fbb; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10004700; rev: 6;)
22
23alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BOTNET [PTsecurity] AESDDoS/Dofloo"; flow: established, to_server; dsize: 20; content: "|49 4e 46 4f 3a 30 2e 30 25 7c 30 2e 30|"; depth: 13; content: "|20 4d 62 70 73 00|"; distance: 1; within: 6; reference: url, https://cape.contextis.com/analysis/39282/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10004701; rev: 6;)
24
25alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] SSVagent (APT31)"; flow: established, to_server; content: "|00 00 00 01 00 00 00 01 00 00 00|"; offset: 1; depth: 11; http_client_body; pcre: "/^[A-F-0-9]{32}/RP"; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006530; rev: 3;)
26
27alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] Possible SSVagent (APT31)"; flow: established, to_server; content: "|00 00 00|"; offset: 1; depth: 3; http_client_body; pcre: "/^.{12}[A-F-0-9]{32}/P"; content: "|0d0a 0d0a|"; depth: 300; byte_jump: 1, 0, relative; isdataat: !5, relative; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006531; rev: 4;)
28
29alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Orcus"; flow: established,from_server; content: "|3082|"; depth: 300; content: "|550403|"; depth: 3000; content: "|0c|Orcus Server0"; distance: 1; within: 14; reference: url, https://app.any.run/tasks/71e6d83c-fd4e-41a9-9c3b-d0a77830a89d; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006589; rev: 3;)
30
31alert tcp any any -> any any (msg: "REMOTE [PTsecurity] TinyNuke"; flow: established, to_server; stream_size: client, =, 11; stream_size: server, =, 1; dsize: 10; content: "AVE_MARIA"; depth: 9; reference: url, https://app.any.run/tasks/48ad8f56-2255-47bf-a988-e0602c11f4b0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006793; rev: 4;)
32
33alert tcp $HOME_NET any -> $EXTERNAL_NET [53, 443] (msg: "PROXY [PTsecurity] Bunitu FB set FB70820_0"; flow: established, to_server; dsize: 14; content: "|00|"; offset: 1; depth: 1; stream_size: server, >,0; stream_size: server, <,2; stream_size: client, >,0; stream_size: client, <,16; flowbits: noalert; flowbits: set, FB70820_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11000339; rev: 12;)
34
35alert tcp $EXTERNAL_NET [53, 443] -> $HOME_NET any (msg: "PROXY [PTsecurity] Bunitu FB set FB70820_1"; flow: established, to_client; dsize: 50; content: "|00|"; offset: 1; depth: 1; stream_size: server, >,0; stream_size: server, <,52; stream_size: client, >,0; stream_size: client, <,16; flowbits: noalert; flowbits: isset, FB70820_0; flowbits: unset, FB70820_0; flowbits: set, FB70820_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11000340; rev: 11;)
36
37alert tcp $HOME_NET any -> $EXTERNAL_NET [53, 443] (msg: "PROXY [PTsecurity] Bunitu Successful Connection"; flow: established, to_server; dsize: 37; content: "|00|"; offset: 1; depth: 1; stream_size: server, >,0; stream_size: server, <,52; stream_size: client, >,0; stream_size: client, <,53; flowbits: isset, FB70820_1; flowbits: set, FB70820_2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11000342; rev: 10;)
38
39alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "BOTNET [PTsecurity] Tofsee Successful Connection FB set PT.Tofsee_0"; flow: established, to_client; dsize: 200; flags: PA; stream_size: client,=,1; stream_size: server,=,201; flowbits: noalert; flowbits: set, PT.Tofsee_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001386; rev: 8;)
40
41alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "BOTNET [PTsecurity] Tofsee Successful Connection FB set PT.Tofsee_1"; flow: established, to_client; dsize: 57; flags: PA; stream_size: client,<,200; stream_size: server,=,258; flowbits: isset, PT.Tofsee_0; flowbits: noalert; flowbits: unset, PT.Tofsee_0; flowbits: set, PT.Tofsee_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001388; rev: 8;)
42
43alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "BOTNET [PTsecurity] Tofsee FB set PT.Tofsee_2"; flow: established, to_server; dsize: 97; flags: PA; stream_size: client,<,300; stream_size: server,=,258; flowbits: noalert; flowbits: isset, PT.Tofsee_1; flowbits: unset, PT.Tofsee_1; flowbits: set, PT.Tofsee_2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001387; rev: 8;)
44
45alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "BOTNET [PTsecurity] Tofsee"; flow: established, to_server; flowbits: isset,PT.Tofsee_2; dsize: 25; flags: PA; stream_size: client,<,350; stream_size: server,=,258; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001385; rev: 6;)
46
47alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SPYWARE [PTsecurity] Trickbot/Upatre/Dyre/Dridex JA3 FB set FB320221_"; ja3_hash; content: "8c4a22651d328568ec66382a84fc505f"; flowbits: set, FB320221_; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001756; rev: 7;)
48
49alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SPYWARE [PTsecurity] Trickbot/Upatre/Dyre/Dridex JA3 FB set FB320221_"; ja3_hash; content: "6734f37431670b3ab4292b8f60f29984"; flowbits: set, FB320221_; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001757; rev: 7;)
50
51alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SPYWARE [PTsecurity] Trickbot/Upatre/Dyre/Dridex FB set FB320221_0"; flow: established, to_client; content: "|1703|"; depth: 2; byte_test: 2, >=,160, 1, relative; byte_test: 2, <=,240, 1, relative; stream_size: server, <,3000; stream_size: client, <,3000; flowbits: isset, FB320221_; flowbits: noalert; flowbits: set, FB320221_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001758; rev: 8;)
52
53alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SPYWARE [PTsecurity] Trickbot/Upatre/Dyre/Dridex SSL Successful Connection"; flow: established, to_client; content: "|17 03 01 01 00|"; depth: 5; content: "|17 03 01 00 20|"; distance: 256; within: 5; content: "|17 03 01|"; distance: 32; within: 3; stream_size: server, <,30000; stream_size: client, <,30000; flowbits: isset, FB320221_0; flowbits: unset, FB320221_0; flowbits: set, FB320221_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001760; rev: 8;)
54
55alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Babylon FB set FB322496_0"; flow: established, to_server; dsize: 4; content: "|FF|"; offset: 1; depth: 1; content: "|FF|"; distance: 1; within: 1; stream_size: server, =,1; stream_size: client, =,5; flowbits: noalert; flowbits: set, FB322496_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001783; rev: 7;)
56
57alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Babylon FB set FB322496_1"; flow: established, to_server; dsize: 4; content: "|FF|"; offset: 1; depth: 1; content: "|FF|"; distance: 1; within: 1; stream_size: server, <,24; stream_size: client, >,5; stream_size: client, <,250; flowbits: isset, FB322496_0; flowbits: unset, FB322496_0; flowbits: set, FB322496_1; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001784; rev: 7;)
58
59alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Babylon"; flow: established, to_client; dsize: 4; content: "|FF|"; offset: 1; depth: 1; content: "|FF|"; distance: 1; within: 1; stream_size: server, <,124; stream_size: client, >,5; stream_size: client, <,250; flowbits: isset, FB322496_1; flowbits: unset, FB322496_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001785; rev: 6;)
60
61alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "REMOTE [PTsecurity] Babylon"; flow: established, to_server; dsize: 4; content: "|ceff cdff|"; depth: 4; stream_size: server, =,1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11000314; rev: 4;)
62
63alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "REMOTE [PTsecurity] LiteManager FB set FB206141_0"; flow: established, to_server; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,2; stream_size: client, >,0; stream_size: client, <,6; flowbits: noalert; flowbits: set, FB206141_0; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001881; rev: 8;)
64
65alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "REMOTE [PTsecurity] LiteManager FB set FB206141_1"; flow: established, to_server; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,2; stream_size: client, >,0; stream_size: client, <,10; flowbits: noalert; flowbits: isset, FB206141_0; flowbits: unset, FB206141_0; flowbits: set, FB206141_1; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001882; rev: 8;)
66
67alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "REMOTE [PTsecurity] LiteManager FB set FB206141_2"; flow: established, to_client; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,6; stream_size: client, >,0; stream_size: client, <,10; flowbits: noalert; flowbits: isset, FB206141_1; flowbits: unset, FB206141_1; flowbits: set, FB206141_2; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001883; rev: 8;)
68
69alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "REMOTE [PTsecurity] LiteManager FB set FB206141_3"; flow: established, to_server; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,6; stream_size: client, >,0; stream_size: client, <,14; flowbits: noalert; flowbits: isset, FB206141_2; flowbits: unset, FB206141_2; flowbits: set, FB206141_3; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001884; rev: 8;)
70
71alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "REMOTE [PTsecurity] LiteManager"; flow: established, to_client; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,14; stream_size: client, >,0; stream_size: client, <,22; flowbits: isset, FB206141_3; flowbits: unset, FB206141_3; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001885; rev: 6;)
72
73alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] DarkTrack Successful Connection FB set FB582528_0"; flow: established, to_server; dsize: 6; content: "|0000 00|"; fast_pattern; offset: 2; depth: 3; content: "|01|"; offset: 0; depth: 1; byte_test: 1,>,0x06,1; byte_test: 1,<,0xf0,1; stream_size: server, =,1; stream_size: client, =,7; flowbits: noalert; flowbits: set, FB582528_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003004; rev: 8;)
74
75alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] DarkTrack Successful Connection"; flow: established, to_client; dsize: 6; stream_size: server, >,0; stream_size: server, <,54; stream_size: client, >,0; stream_size: client, <,650; content: "|0100 0000|"; fast_pattern; depth: 4; flowbits: isset, FB582528_0; flowbits: unset, FB582528_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003005; rev: 7;)
76
77alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "LOADER [PTsecurity] ModiLoader FB set FB909586_0"; flow: established, to_server; dsize: 49<>53; pcre: "/^[\x00-\xff]{10,55}[\x00-\x7f][\x00-\x7f]/"; stream_size: server,=, 1; stream_size: client, <,54; flowbits: noalert; flowbits: set, FB909586_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003921; rev: 10;)
78
79alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "LOADER [PTsecurity] ModiLoader FB set FB909586_1"; flow: established, to_client; dsize: 3; stream_size: server, =,4; stream_size: client, <,54; flowbits: noalert; flowbits: isset, FB909586_0; flowbits: unset, FB909586_0; flowbits: set, FB909586_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003922; rev: 9;)
80
81alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "LOADER [PTsecurity] ModiLoader Successful Connection"; flow: established, to_server; dsize: 2; stream_size: server, =,4; stream_size: client, <,56; flowbits: isset, FB909586_1; flowbits: unset, FB909586_1; flowbits: set, FB909586_2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003923; rev: 8;)
82
83alert tls any any -> any any (msg: "REMOTE [PTsecurity] SilentTrinity FB set ST_checker1"; flow: established, to_server; stream_size: client, <,3500; stream_size: server, <,8000; content: "|17030302|"; depth: 4; byte_test: 1,>=,0xea,0,relative; byte_test: 1,<=,0xec,0,relative; flowbits: set, ST_checker1; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11004397; rev: 7;)
84
85alert tls any any -> any any (msg: "REMOTE [PTsecurity] SilentTrinity FB set ST_checker2"; flow: established, to_client; stream_size: client, <,3500; stream_size: server, <,8000; content: "|1703030099|"; depth: 5; flowbits: isset, ST_checker1; flowbits: set, ST_checker2; flowbits: unset, ST_checker1; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11004398; rev: 6;)
86
87alert tls any any -> any any (msg: "REMOTE [PTsecurity] SilentTrinity FB set ST_checker3"; flow: established, to_client; stream_size: client, <,3500; stream_size: server, <,8000; content: "|17030303|"; depth: 4; byte_test: 1,>=,0x03,0,relative; byte_test: 1,<=,0x04,0,relative; flowbits: noalert; flowbits: isset, ST_checker2; flowbits: unset, ST_checker2; flowbits: set, ST_checker3; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11004399; rev: 9;)
88
89alert tls any any -> any any (msg: "REMOTE [PTsecurity] SilentTrinity"; flow: established, to_server; stream_size: client, <,3500; stream_size: server, <,8000; content: "|1703030065|"; depth: 5; flowbits: isset, ST_checker3; flowbits: unset, ST_checker3; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11004724; rev: 4;)
90
91alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SPYWARE [PTsecurity] SpyNote response"; flow: established, to_client; dsize: 23; content: "Server|20|Prent|20 3c|please|3e 0d 0a|"; depth: 23; fast_pattern; reference: url, https://app.any.run/tasks/35f20b0a-10b1-4355-a562-076d8ab6db94; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008411; rev: 2;)
92
93alert tcp any any -> any any (msg: "SPYWARE [PTsecurity] SpyNote/Craxs"; dsize: >19; pcre: "/^[0-9]{1,5}\x00[0-9]{1,5}\x00/"; content: "|1f 8b 08 00 00 00 00 00|"; distance: 0; within: 8; content: "|1f 8b 08 00 00 00 00 00|"; distance: 1; threshold: type limit, track by_src, count 1, seconds 120; reference: url, https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008415; rev: 1;)
94
95alert http any any -> any any (msg: "SPYWARE [PTsecurity] Hydra"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/api/v1/device/update"; http.header; content: "charset: utf-8"; nocase; http.request_body; content: "{|22|bot_phones|22|:"; depth: 14; fast_pattern; reference: url, tria.ge/240808-w3nt2a1brd/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012079; rev: 1;)
96
97alert http any any -> any any (msg: "SPYWARE [PTsecurity] Hydra"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/api/v1/device"; http.header; content: "charset: utf-8"; nocase; http.request_body; content: "{|22|injects_loaded|22|:"; depth: 18; fast_pattern; reference: url, tria.ge/240808-w3nt2a1brd/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012089; rev: 1;)
98
99alert http any any -> any any (msg: "SPYWARE [PTsecurity] Hydra"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/api/v1/device"; http.header; content: "charset: utf-8"; nocase; http.request_body; content: "{|22|country|22|"; depth: 10; content: "|22|admin_rights_enabled|22|:"; distance: 0; fast_pattern; content: "|22|os_version|22|:"; distance: 0; content: "|22|tag|22|:"; distance: 0; content: "|22|push_token|22|:"; distance: 0; reference: url, tria.ge/240808-w3nt2a1brd/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012090; rev: 1;)
100
101alert http any any -> any any (msg: "SPYWARE [PTsecurity] Zanubis"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/socket.io/"; http.header; content: "Content-Type: text/plain"; content: "Accept-Encoding: gzip"; content: "User-Agent: okhttp/"; content: !"Referer"; http.request_body; content: "[|22|inicio|22|,|22|"; depth: 14; fast_pattern; content: "=:"; distance: 43; within: 3; content: "==:"; distance: 22; within: 4; reference: url, https://www.virustotal.com/gui/file/f6efdc5aa776a013ec6802d33a90676d83f5a6e07324a2775cf1994eb252ff8d/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012111; rev: 2;)
102
103alert http any any -> any any (msg: "BACKDOOR [PTsecurity] NGLite/NKAbuse"; flow: established, to_server; content: "POST"; http_method; content: "User-Agent: Go-http-client/"; http_header; content: "{|22|id|22|:|22|nkn-sdk-go|22|,|22|method|22|:|22|getwsaddr|22|,|22|params|22|:{|22|address|22|:|22|__"; http_client_body; depth: 63; content: !"Referer|3a|"; http_header; reference: url, https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006871; rev: 3;)
104
105alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "STEALER [PTsecurity] MetaStealer"; flow: established, to_client; content: "200"; http_stat_code; content: "Content-Length: 46"; http_header; content: "{|22|ok|22|:|22|"; http_server_body; depth: 7; pcre: "/[a-fA-F0-9]{8}-(?:[a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\x22\x7d\x0a/RQ"; isdataat: !1, relative; reference: url, https://app.any.run/tasks/a3bfd605-f3ef-43e4-85bc-7e909275a770; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10007504; rev: 4;)
106
107alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] XWorm Ping"; flow: established, from_server; dsize: 19; content: "16|00 66 14 47 80 9b ae 6d c0 d9 1e 2b 17 b3 d8 4a 5a|"; depth: 19; threshold: type limit, track by_dst, seconds 120, count 1; reference: md5, ed22b81e3a57a1622dd8a8900411e520; reference: url, github.com/Shinyenigma/XWorm-RAT/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008312; rev: 3;)
108
109alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] XWorm Ping"; flow: established, to_server; dsize: 19; content: "16|00 53 9c 47 5c 59 25 30 ab 7d 21 76 83 fa 5e 04 9e|"; depth: 19; threshold: type limit, track by_dst, seconds 120, count 1; reference: md5, ed22b81e3a57a1622dd8a8900411e520; reference: url, github.com/Shinyenigma/XWorm-RAT/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008313; rev: 3;)
110
111alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "STEALER [PTsecurity] WorldWind"; flow: established, to_server; content: "POST"; http_method; content: "/bot"; http_uri; depth: 4; content: "/sendDocument?chat_id="; distance: 44; http_uri; content: "&text="; distance: 0; http_uri; content: "WorldWind"; http_uri; fast_pattern; content: "System:"; http_uri; content: "CPU:"; http_uri; content: "Screen:"; http_uri; content: !"Referer:"; http_header; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://app.any.run/tasks/ab8f29a9-cf74-4f63-b296-dced2e5a2393; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10009186; rev: 1;)
112
113alert http any any -> any any (msg: "SPYWARE [PTsecurity] Metamorfo"; flow: established, to_server; content: "POST"; http_method; content: ".php"; http_uri; content: "Connection: keep-alive"; http_header; depth: 23; content: "Content-Type: application/x-www-form-urlencoded"; http_header; distance: 0; content: "Content-Length: "; http_header; distance: 0; content: "Host: "; http_header; distance: 0; content: "Accept: text/html,application/xhtml+xml,application/xml|3b|q="; http_header; distance: 0; content: "Host="; fast_pattern; http_client_body; depth: 5; content: !"Referer|3a|"; http_header; reference: url, https://app.any.run/tasks/7f89b953-a4fd-4a53-a957-1c83ddf1b1d2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010035; rev: 1;)
114
115alert http any any -> any any (msg: "STEALER [PTsecurity] ZIPThief"; flow: established, to_server; content: "POST"; http_method; urilen: 2<>10; content: "Content-Type|3A| application/octet-stream|3B| boundary=----"; http_raw_header; content: !"Referer"; http_header; content: "|504b 0304 1400|"; http_client_body; depth: 6; fast_pattern; pcre: "/.{24}([a-f]|\d){8}\-([a-f]|\d){4}\-([a-f]|\d){4}\-([a-f]|\d){4}\-([a-f]|\d){12}\.txt/PR"; reference: url, https://app.any.run/tasks/a74d0647-c3f7-44b0-b66b-bc4e7c2715c8; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010039; rev: 2;)
116
117alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] SafeRAT"; flow: established, to_server; dsize: 14; stream_size: server, =, 1; stream_size: client, =, 15; content: "|0a 00 00 00|efaSnigoL|00|"; depth: 14; fast_pattern; reference: url, https://www.virustotal.com/gui/file/c226f1b68aecfe0efc2614882268041fc95ada881c930dd1e1fbc413f5727987; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010258; rev: 1;)
118
119alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "LOADER [PTsecurity] SafeRAT"; flow: established, to_server; content: "GET"; http_method; urilen: 12; content: "/payload.bin"; http_uri; depth: 12; fast_pattern; content: "Connection: Keep-Alive|0d 0a|User-Agent: Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http://www.google.com/bot.html)|0d 0a|Host:"; http_raw_header; depth: 120; isdataat: !50, relative; content: !"Referer|3a|"; http_header; content: !"Accept"; http_header; reference: url, https://www.virustotal.com/gui/file/c226f1b68aecfe0efc2614882268041fc95ada881c930dd1e1fbc413f5727987; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010259; rev: 1;)
120
121alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "LOADER [PTsecurity] SafeRAT"; flow: established, to_server; content: "GET"; http_method; urilen: 12; content: "/payload.bin"; http_uri; depth: 12; fast_pattern; content: "Connection: Keep-Alive|0d 0a|User-Agent: WinHTTP Example/1.0|0d 0a|Host:"; http_raw_header; depth: 120; isdataat: !50, relative; content: !"Referer|3a|"; http_header; content: !"Accept"; http_header; reference: url, https://www.virustotal.com/gui/file/c226f1b68aecfe0efc2614882268041fc95ada881c930dd1e1fbc413f5727987; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010260; rev: 1;)
122
123alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "STEALER [PTsecurity] Ares"; flow: established, to_server; content: "POST"; http_method; content: "/api/"; http_uri; depth: 5; content: "Accept-Encoding: gzip, deflate"; http_header; content: "User-Agent: python-requests/"; http_header; content: "Content-Length:"; http_header; content: !"Referer"; http_header; content: "|7b 22|username|22|:"; http_client_body; depth: 13; content: "|22|platform|22|:"; http_client_body; distance: 0; content: "|22|hostname|22|:"; http_client_body; distance: 0; isdataat: !30, relative; reference: url, virustotal.com/gui/file/de4b4f2ec4489ffa873465683818b7db52bf914c3387dd1b84f2dd855a9a1171; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010709; rev: 1;)
124
125alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "STEALER [PTsecurity] Ares"; flow: established, to_server; content: "POST"; http_method; content: "/api/"; http_uri; depth: 5; content: "Accept-Encoding: gzip, deflate"; http_header; content: "User-Agent: python-requests/"; http_header; content: "Content-Length:"; http_header; content: "Content-Type: multipart/form-data|3b| boundary="; http_header; content: !"Referer"; http_header; content: "Content-Disposition: form-data|3b| name=|22|uploaded|22 3b| filename=|22|list.txt|22|"; http_client_body; depth: 120; reference: url, virustotal.com/gui/file/de4b4f2ec4489ffa873465683818b7db52bf914c3387dd1b84f2dd855a9a1171; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010710; rev: 3;)
126
127alert http any any -> any any (msg: "STEALER [PTsecurity] MetaStealer"; flow: established, to_server; content: "GET"; http_method; content: "/avast_update"; http_uri; depth: 13; fast_pattern; content: "Connection|3A| close"; http_header; content: "cpp-httplib/"; http_user_agent; content: !"avast"; http_host; content: !"Referer"; http_header; content: !"Pragma"; http_header; reference: md5, 37880a9cbdc396b07436de5a2e7bb25b; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010717; rev: 4;)
128
129alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MINER [PTsecurity] RustMiner"; flow: established, to_server; content: "GET"; http_method; content: "Cache-Control: no-cache|0d 0a|Connection: Keep-Alive|0d 0a|Pragma: no-cache"; http_header; content: "Accept: */*, ???@, ??????????????"; http_header; distance: 0; content: !"Referer"; http_header; threshold: type limit, track by_src, seconds 120, count 1; reference: url, https://tria.ge/240111-fj6bzaehfl/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010726; rev: 1;)
130
131alert tcp any any -> any any (msg: "BACKDOOR [PTsecurity] AdAptertrAin Response"; flow: established, to_client; content: "###%k###"; depth: 16; fast_pattern; pcre: "/\x20([0-9]{1,3}\.){3}[0-9]{1,3}/R"; content: "###%k###"; distance: 0; reference: url, https://tria.ge/240116-da7gkabfck/behavioral3; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010801; rev: 1;)
132
133alert tcp any any -> any any (msg: "BACKDOOR [PTsecurity] AdAptertrAin"; flow: established, to_server; dsize: <128; content: "(XXX)"; depth: 16; fast_pattern; content: "(XXX)"; distance: 0; pcre: "/^[0-9]{0,6}\x28[X]{3}\x29[0-9]{0,6}\x28[X]{3}\x29[0-9]{0,6}$/"; reference: url, https://tria.ge/240116-da7gkabfck/behavioral3; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010802; rev: 1;)
134
135alert tls any any -> any any (msg: "REMOTE [PTsecurity] VenomRAT SSL certificate"; flow: established,from_server; content: "|3082|"; depth: 300; content: "|550403|"; depth: 600; content: "|08|VenomRAT"; distance: 1; within: 10; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010904; rev: 1;)
136
137alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Possible CyberGate Request"; flow: established, to_server; stream_size: server, <, 3; stream_size: client, =, 5; dsize: 4; content: "|7c 0a|"; offset: 2; depth: 2; fast_pattern; pcre: "/^[2-4]{1}[0-9]{1}\x7c\x0a/"; threshold: type limit,track by_src,count 1,seconds 120; flowbits: set, CyberGate_rqs0; reference: url, https://www.virustotal.com/gui/file/289c546bff97b1f1c08c5bb2d58ec8073e4fdb3cb5e75215e0b9eaf18e8eb866/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010929; rev: 2;)
138
139alert tcp any any -> any any (msg: "REMOTE [PTsecurity] CyberGate Request"; flow: established, to_server; stream_size: server, <, 10; stream_size: client, <, 50; dsize: 25<>45; threshold: type limit,track by_src,count 1,seconds 120; flowbits: isset, CyberGate_rqs0; flowbits: unset, CyberGate_rqs0; reference: url, https://www.virustotal.com/gui/file/289c546bff97b1f1c08c5bb2d58ec8073e4fdb3cb5e75215e0b9eaf18e8eb866/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010930; rev: 2;)
140
141alert tcp any any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] VxRAT"; flow: established, to_server, only_stream; stream_size: client, >, 100; stream_size: client, <, 400; stream_size: server, <, 5; byte_test: 1, >, 0x63, 0; byte_test: 1, <, 0xc8, 0; content: "|00 00 00 00 00 00 00 00 00 00 00 54|"; offset: 1; depth: 12; content: "|40 00|"; distance: 6; within: 32; content: "|00 0a 00|"; distance: 6; within: 80; content: "|00 0a 00|"; distance: 6; within: 80; content: "|00 0a 00|"; distance: 6; within: 80; content: "|00|D|00|I|00|S|00|P|00|L|00|A|00|Y|00|"; distance: 0; fast_pattern; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010999; rev: 1;)
142
143alert tcp any any -> $EXTERNAL_NET any (msg: "WORM [PTsecurity] Expiro"; flow: established, to_server; stream_size: client, <, 80; stream_size: client, >, 50; stream_size: server, <, 3; content: "|17 00 00 00 af b0 f3 aa f1 98 b0 ff|"; depth: 12; reference: url, https://tria.ge/240229-lbqt7scg95/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011031; rev: 1;)
144
145alert tcp any any -> any any (msg: "SPYWARE [PTsecurity] Grandoreiro"; flow: established, to_server; content: "%"; http_uri; content: ","; http_uri; distance: 0; content: "@"; http_uri; distance: 0; content: ")"; http_uri; distance: 0; content: "$"; http_uri; distance: 0; content: "*"; http_uri; distance: 0; content: "Accept: */*"; http_header; content: "Accept-Encoding|3A| gzip"; http_header; content: "User-Agent|3A| Mozilla/4.0 (compatible|3B| Clever Internet Suite)"; http_header; content: !"Referer"; http_header; reference: url, https://app.any.run/tasks/cf1c73d6-a0e7-426f-b77a-b84e3302c3ae; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011166; rev: 2;)
146
147alert tcp any any -> any any (msg: "BACKDOOR [PTsecurity] Trojan.Backdoor Echo Heartbeat"; flow: established, to_server; stream_size: client, =, 17; stream_size: server, =, 1; content: "|0000 78e3 0000 4f95 0000 0004 6563 686f|"; depth: 16; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011181; rev: 1;)
148
149alert http any any -> any any (msg: "SPYWARE [PTsecurity] Trojan.Banker"; flow: established, to_server; http.method; content: "POST"; http.uri; content: ".php"; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: "Accept: text/html, */*"; content: !"Referer"; http.request_body; content: "titulo="; depth: 7; nocase; content: "&texto="; distance: 0; within: 100; nocase; content: "Mac"; distance: 0; nocase; content: "Resolucao"; distance: 0; nocase; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011254; rev: 1;)
150
151alert http any any -> any any (msg: "SPYWARE [PTsecurity] Possible Trojan.Banker"; flow: established, to_server; http.method; content: "POST"; http.uri; content: ".php"; http.header; content: !"Referer"; http.request_body; content: "dados="; depth: 6; reference: url, https://www.virustotal.com/gui/file/70d3b577620279fd2a2e6cb39e601e5c3342b375f0e53d8771ded26442bafeb9/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011251; rev: 1;)
152
153alert tcp any any -> any !$HTTP_PORTS (msg: "REMOTE [PTsecurity] Remcos"; flow: established, to_server; dsize: 300<>450; stream_size: client, <, 451; content: "|01 80 b0 a6 75 bd 32 15 1c 8e|"; depth: 10; threshold: type threshold, seconds 30, count 2, track by_dst; reference: url, https://www.virustotal.com/gui/file/7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011276; rev: 1;)
154
155alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Gh0st"; flow: established, to_server; dsize: 200<>400; stream_size: server, <, 2; content: "|a1 a6 a0|"; depth: 3; content: "|8f 90 90 ac 92 90 90 bf 84 90 90 e8 0c a9 4f d0|"; distance: 1; within: 16; reference: url, https://tria.ge/240402-bd4hzaca7x/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011296; rev: 1;)
156
157alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Ryuk Client Heartbeat"; flow: established, to_server; dsize: 29; stream_size: client, =, 30; stream_size: server, <, 2; content: "|44 4b 00 00 29 af a3 d2 11 00 00 00 08 0a 11 45|"; depth: 16; reference: url, https://tria.ge/240331-f2rarsfa57/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011307; rev: 1;)
158
159alert tcp any any -> any any (msg: "ROOTKIT [PTsecurity] Winnti"; flow: established, to_server; content: "848923JNNWWAAV03"; depth: 30; fast_pattern; reference: url, https://app.any.run/tasks/0e9aa891-01d3-42b4-aaea-63fa191a6dcb; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011352; rev: 1;)
160
161alert tcp any any -> any any (msg: "REMOTE [PTsecurity] XWorm"; flow: established, to_server; dsize: 276; stream_size: client, =, 277; stream_size: server, <, 3; content: "272|00|"; depth: 4; fast_pattern; reference: url, https://www.virustotal.com/gui/file/0ca479e1f8698b0ef5124d184309ce416a72407d0dc8cb017f02bb80f014a12d/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011368; rev: 1;)
162
163alert http any any -> any any (msg: "STEALER [PTsecurity] ZZSteal"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/upwawsfrg.php"; isdataat: !1, relative; http.cookie; content: "SESSION="; depth: 8; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: "User-Agent: Mozilla / 5.0(Windows NT 10.0|3b| Win64|3b| x64|3b| rv: 108.0) Gecko / 20100101 Firefox / 108.0"; fast_pattern; content: "Expect: 100-continue"; content: !"Referer"; http.request_body; content: "Name="; depth: 5; content: "&dataFile="; distance: 5; within: 30; reference: url, https://tria.ge/240403-pm36fsda7z/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011385; rev: 1;)
164
165alert tcp any any -> any any (msg: "LOADER [PTsecurity] DBatLoader"; flow: established, to_server; stream_size: client, <, 100; stream_size: server, =, 1; dsize: 50<>100; content: "pyCode|20 2d 20|"; depth: 9; fast_pattern; content: "|20 7c 20|Windows"; distance: 0; content: "|20 7c 20|"; distance: 0; content: "|20|"; distance: 0; reference: url, https://www.joesandbox.com/analysis/1347377; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011485; rev: 1;)
166
167alert http any any -> any any (msg: "BACKDOOR [PTsecurity] RustyNet (APT Patchwork)"; flow: established, to_server; http.method; content: "POST"; http.uri; content: ".php"; endswith; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: "Expect: 100-continue"; content: !"Referer"; http.request_body; content: "simpleid="; depth: 9; fast_pattern; content: "&fiiir="; distance: 0; content: "&uqid="; distance: 0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011588; rev: 1;)
168
169alert http any any -> any any (msg: "BACKDOOR [PTsecurity] Trojan.Backdoor (APT Patchwork)"; flow: established, to_server; pcre: "/^[a-z]{10,40}$/V"; http.method; content: "POST"; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: "Cache-Control: no-cache"; content: !"Referer"; http.request_body; content: "umnome="; depth: 7; fast_pattern; content: "&pmjodf="; distance: 0; content: "&idkdfjej="; distance: 0; content: "&cokenme="; distance: 0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011589; rev: 1;)
170
171alert http any any -> any any (msg: "BACKDOOR [PTsecurity] RustyNet (APT Patchwork)"; flow: established, to_server; http.method; content: "POST"; http.uri; content: ".php"; endswith; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: !"Referer"; http.request_body; content: "uuiddsd="; depth: 8; fast_pattern; content: "&uqid="; distance: 0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011590; rev: 1;)
172
173alert tcp any any -> any any (msg: "REMOTE [PTsecurity] XWorm"; flow: established, to_server; dsize: 292; stream_size: client, =, 293; stream_size: server, <, 3; content: "288|00|"; depth: 4; fast_pattern; reference: url, https://app.any.run/tasks/11cc1312-a965-460f-8c68-4316a749b71e; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011633; rev: 1;)
174
175alert http any any -> any any (msg: "LOADER [PTsecurity] Latrodectus"; flow: established, to_server; http.method; content: "POST"; urilen: >7; http.header; content: "User-Agent: Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"; content: "Connection: Keep-Alive"; content: "Cache-Control: no-cache"; content: !"Referer"; http.request_body; content: "393b03dfe0772d1d5cbdd183c97f7ce6"; depth: 32; fast_pattern; reference: url, https://app.any.run/tasks/4081d674-449f-4a16-9710-13f1a6236c3c; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011642; rev: 1;)
176
177alert http any any -> any any (msg: "REMOTE [PTsecurity] 9002RAT"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/?q="; depth: 4; isdataat: 7, relative; isdataat: !9, relative; pcre: "/^\/\?q=[a-f0-9]{8}$/U"; http.header; content: "User-Agent: User-Agent:Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537."; fast_pattern; content: "Cache-Control: no-cache"; content: !"Referer"; reference: url, https://www.virustotal.com/gui/file/28808164363d221ceb9cc48f7d9dbff8ba3fc5c562f5bea9fa3176df5dd7a41e/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011655; rev: 1;)
178
179alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Crimson (APT TransparentTribe)"; flow: established, to_server; stream_size: server, <, 30; stream_size: server, >, 15; stream_size: client, <, 200; content: "|00 00 00 00|iny"; offset: 1; depth: 7; fast_pattern; content: "|3d|"; distance: 3; content: "|00 00 00 7c|"; distance: 3; content: "|7c|"; distance: 3; content: "|7c|"; distance: 0; content: "|7c|"; distance: 0; content: "|7c|"; distance: 0; reference: url, https://www.virustotal.com/gui/file/e87978f0af9bb550ab4686a7d3657e6cbfd92347744dfce8ff2321781ac2eee0/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011664; rev: 2;)
180
181alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] PhantomRAT (APT PhantomCore)"; flow: established, to_server; stream_size: server, =, 1; stream_size: client, >, 260; dsize: 190<>512; content: "{|22|Uuid|22|"; distance: 0; content: "|22|Hostname|22|"; distance: 0; content: "|22|Username|22|"; distance: 0; content: "|22|LocalIp|22|"; distance: 0; content: "|22|PublicIp|22|"; distance: 0; content: "|22|Os|22|"; distance: 0; content: "}"; endswith; reference: url, https://www.virustotal.com/gui/file/5d924a9ab2774120c4d45a386272287997fd7e6708be47fb93a4cad271f32a03/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011867; rev: 2;)
182
183alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "LOADER [PTsecurity] PhantomDL (APT PhantomCore)"; flow: established, to_server; stream_size: server, =, 1; stream_size: client, >, 150; dsize: 85<>120; content: "{|22|Id|22|"; content: "|22|Domain|22|"; distance: 0; content: "}"; endswith; reference: url, https://app.any.run/tasks/9fff9dbd-075d-47fd-a265-3dae5d6977dd/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011868; rev: 1;)
184
185alert http any any -> any any (msg: "LOADER [PTsecurity] SafeRAT FB set SafeRAT_loader"; flow: established, to_server; http.method; content: "GET"; http.uri; content: "/"; startswith; pcre: "/^([a-zA-Z]{1,10}\.txt|payload\.bin)$/UR"; http.header_names; content: "|0d 0a|Connection|0d 0a|Host|0d 0a 0d 0a|"; content: !"Content"; content: !"Accept"; content: !"User-Agent"; content: !"Referer"; flowbits: set, SafeRAT_loader; flowbits: noalert; reference: url, https://www.virustotal.com/gui/file/859e09a10260c646d2864c1f718c551ea566e8612f47979e6de4076c480c8cbc/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011879; rev: 1;)
186
187alert http any any -> any any (msg: "LOADER [PTsecurity] SafeRAT"; flow: established, to_client; http.stat_code; content: "200"; http.header; content: "Content-Type"; content: "Accept-Ranges: bytes"; content: "Content-Disposition"; http.response_body; content: "UVWATAUAVAWH"; offset: 5; depth: 12; flowbits: isset, SafeRAT_loader; flowbits: unset, SafeRAT_loader; reference: url, https://www.virustotal.com/gui/file/859e09a10260c646d2864c1f718c551ea566e8612f47979e6de4076c480c8cbc/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011880; rev: 1;)
188
189alert http any any -> any any (msg: "REMOTE [PTsecurity] PhantomRAT (APT PhantomCore)"; flow: established, to_server; http.method; content: "POST"; http.header; content: "User-Agent: Boost.Beast"; content: "Content-Type: application/json"; content: !"Referer"; http.request_body; content: "{|22|BuildName|22|:|22|"; startswith; content: "|22|Domain|22|:"; distance: 0; content: "|22|Hostname|22|:"; distance: 0; content: "|22|Os|22|:"; distance: 0; content: "|22|Username|22|:"; distance: 0; content: "|22|Uuid|22|:"; distance: 0; reference: url, https://www.virustotal.com/gui/file/dca85252d885882fb5eb38d21d48c44012f769a631114ea0c4bfc0f423d82c60/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011947; rev: 1;)
190
191alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Nerbian"; flow: established, to_client; stream_size: client, <, 501; stream_size: client, >, 100; stream_size: server, <, 501; stream_size: server, >, 100; content: "4r3f"; depth: 4; fast_pattern; content: "|01 00 00|"; distance: 1; within: 3; threshold: type limit, track by_src, count 1, seconds 120; reference: url, https://www.virustotal.com/gui/file/19e0aab36e15ddb57e684748ac73dbced7d08e35c5950fe53a3b4011cba1f7ac/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011998; rev: 1;)
192
193alert tcp any any -> any any (msg: "LOADER [PTsecurity] AllaKore"; flow: established, to_server; dsize: 100<>200; stream_size: server, <, 2; stream_size: client, <, 201; base64_decode: bytes 100; base64_data; content: "pyCodeV16"; depth: 9; content: "*NEW"; distance: 0; content: "|20 7c 20|"; distance: 0; content: "|20 7c 20|"; distance: 0; reference: url, https://tria.ge/240918-mvh45swfkf/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012001; rev: 1;)
194
195alert tcp any any -> any any (msg: "LOADER [PTsecurity] PrivateLoader FB set priloader_2st_client_pkt"; flow: established, to_server; stream_size: client, =, 29; stream_size: server, =, 9; content: "|10 00 00 00|"; depth: 4; flowbits: set, priloader_2st_client_pkt; flowbits: noalert; reference: url, https://tria.ge/240924-seflzatcpg/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012029; rev: 1;)
196
197alert tcp any any -> any any (msg: "LOADER [PTsecurity] PrivateLoader"; flow: established, to_client; stream_size: client, =, 45; stream_size: server, =, 13; content: "|10 00 00 00|"; depth: 4; flowbits: isset, priloader_2st_client_pkt; flowbits: unset, priloader_2st_client_pkt; reference: url, https://tria.ge/240924-seflzatcpg/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012030; rev: 1;)
198
199alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] XWorm"; flow: established, to_server; stream_size: client, =, 181; stream_size: server, =, 1; dsize: 180; content: "176|00|"; depth: 4; isdataat: 175, relative; isdataat: !176, relative; flowbits: set, xworm_blocksize176; reference: url, https://tria.ge/240905-yktnnsybjk/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012051; rev: 1;)
200
201alert tcp any any -> any any (msg: "LOADER [PTsecurity] Jalapeno"; flow: established, to_client; stream_size: client, =, 1; stream_size: server, =, 117; dsize: 116; content: "END$$$$$"; endswith; reference: url, https://tria.ge/240921-1zgzjawgkn/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012053; rev: 1;)
202
203alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Nanocore request"; flow: established, to_server; stream_size: client, >, 32; stream_size: client, <, 64; content: !"|20|"; byte_test: 1, >, 0x10, 0; byte_test: 1, <, 0x1f, 0; content: "|00 00 00|"; offset: 1; depth: 3; content: !"|00|"; within: 16; content: "|16 00 00 00|opqrs"; distance: 12; within: 31; content: !"|00|"; distance: 0; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://app.any.run/tasks/d154d1eb-f4fb-4815-a9b3-b049425f08ec; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012062; rev: 3;)
204
205alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Slam V2.0 screenshot exfiltration"; flow: established, to_server; dsize: 35<>50; content: "SCREENSHOT*screen.jpg*"; startswith; byte_test: 2, >, 0x3030, 0, relative; byte_test: 2, <, 0x4040, 0, relative; content: "*"; distance: 0; threshold: type limit, track by_dst, count 2, seconds 240; reference: url, https://tria.ge/240915-bxx6asydpm/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012075; rev: 1;)
206
207alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Slam V2.0 FB set slam_ping"; flow: established, to_client; dsize: 8<>17; content: "?PING"; endswith; flowbits: set, slam_ping; flowbits: noalert; reference: url, https://tria.ge/240915-bxx6asydpm/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012076; rev: 1;)
208
209alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Slam V2.0 ping-pong"; flow: established, to_server; dsize: 8<>17; content: "PONG#"; startswith; content: "#"; endswith; flowbits: isset, slam_ping; flowbits: unset, slam_ping; threshold: type limit, track by_dst, count 2, seconds 240; reference: url, https://tria.ge/240915-bxx6asydpm/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012077; rev: 1;)
210
211alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Slam V2.0 checkin"; flow: established, to_server; dsize: 32<>81; content: "SetInfo#"; startswith; content: "Encrypted"; distance: 0; nocase; fast_pattern; content: "#"; endswith; reference: url, https://tria.ge/240915-bxx6asydpm/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012078; rev: 1;)
212
213alert tcp any any -> any any (msg: "STEALER [PTsecurity] WorldWind checkin"; flow: established, to_server; stream_size: client, <, 80; stream_size: server, =, 1; content: "|46 00 00 00|"; startswith; fast_pattern; content: "{|22|id|22 3a| 0"; within: 8; content: "|22|hwid|22 3a|"; within: 10; content: !"|20|"; distance: 2; within: 32; content: "|22|country|22 3a|"; distance: 32; content: !","; distance: 0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012099; rev: 1;)
214
215alert tcp any any -> any any (msg: "STEALER [PTsecurity] WorldWind exfiltration"; flow: established, to_server; stream_size: server, =, 1; content: !"|00 00|"; depth: 2; content: "|00 00|"; offset: 2; depth: 2; content: "{|22|id|22 3a|"; within: 8; content: "|22|filename|22 3a|"; within: 16; content: ".txt"; within: 24; content: "|22|content|22 3a|"; within: 16; content: !"|20|"; distance: 1; content: !","; distance: 0; content: !"."; distance: 0; content: !"|00|"; distance: 0; reference: url, https://www.virustotal.com/gui/file/84d52de2b69e14f26259da07297e02eb2c4ac32045a690f65a267fe931da0433/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012100; rev: 1;)
216
217alert http any any -> any any (msg: "KEYLOGGER [PTsecurity] SnakeKeylogger exfiltration via Telegram"; flow: established, to_server; http.method; content: "GET"; http.uri; content: "/bot/sendMessage?chat_id="; startswith; content: "&text="; distance: 0; content: "PC Name|3a|"; within: 16; fast_pattern; content: "Country Name|3a|"; distance: 0; content: "Clicked on the File"; distance: 0; http.host; content: "api.telegram.org"; startswith; isdataat: !1, relative; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://www.virustotal.com/gui/file/bcade8f76366bc86315e2775770083a82a5f1ca9344d03be5ef52616dcceaea8/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012139; rev: 1;)
218
219alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg: "KEYLOGGER [PTsecurity] SnakeKeylogger exfiltration via SMTP"; flow: established, to_server; content: "Subject|3a| Pc Name|3a|"; content: "|2f| VIP Recovery |5c|"; within: 48; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://www.virustotal.com/gui/file/bcade8f76366bc86315e2775770083a82a5f1ca9344d03be5ef52616dcceaea8/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012140; rev: 1;)
220
221alert tcp any any -> any any (msg: "LOADER [PTsecurity] Bumblebee"; flow: established, to_server; dsize: 100<>200; stream_size: server, <, 2; stream_size: client, <, 201; content: "alcon|22 fe 94 63 4a 56|"; offset: 1; depth: 11; reference: url, https://www.virustotal.com/gui/file/c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012145; rev: 1;)
222
223alert http any any -> any any (msg: "STEALER [PTsecurity] Trojan.Stealer"; flow: established, to_server; http.method; content: "POST"; http.header; content: "Accept-Encoding: identity"; content: "User-Agent: Python-urllib/"; content: "Content-Type: application/x-www-form-urlencoded"; content: "Connection: close"; content: !"Referer"; http.request_body; content: "Image Name"; content: "PID"; distance: 0; content: "Session Name"; distance: 0; content: "Session#"; distance: 0; fast_pattern; content: "Mem Usage"; distance: 0; reference: url, cyble.com/blog/silent-intrusion-unraveling-the-sophisticated-attack-leveraging-vs-code-for-unauthorized-access/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012179; rev: 1;)
224
225alert http any any -> any any (msg: "STEALER [PTsecurity] XavierEra"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/pip/x/requirements.php"; endswith; http.header; content: "User-Agent: python-requests/"; content: "Accept-Encoding: gzip, deflate, br"; content: "Content-Type: multipart/form-data|3b| boundary="; content: !"Referer"; http.request_body; content: "|50 4b|"; depth: 150; content: "Cookies"; distance: 0; content: "_Default_PASS"; distance: 0; fast_pattern; reference: url, https://app.any.run/tasks/d914b17f-c258-4522-9370-bd972106fa04; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012300; rev: 1;)