""ET TROJAN W32/Nymaim Checkin M2""
SID: 2016757
Revision: 8
Class Type: trojan-activity
Metadata: created_at 2013_04_16, updated_at 2022_10_20
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: any
Flow: to_server,established
Contents:
-
Value: "POST" Depth: 5
-
Value: "Content-Type|3a| application/x-www-form-urlencoded|0d 0a|"
-
Value: " MSIE "
-
Value: "|0d 0a 0d 0a|filename="
-
Value: "&data="
-
Value: !"Referer"
Within:
PCRE: "/\r\n\r\nfilename=[a-z]+?.[a-z]+?&data=/"
Special Options:
-
nocase
-
fast_pattern