""ET TROJAN Dridex POST Retrieving Second Stage M2""
SID: 2020825
Revision: 5
Class Type: trojan-activity
Metadata: created_at 2015_04_01, updated_at 2015_04_09
Reference:
-
md5
-
148112df459ba40b9127f7d4f1c08df2
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "POST / HTTP/1.1|0d 0a|" Depth: 17
-
Value: "|0d 0a 0d 0a|"
-
Value: "Host|3a 20|"
Within:
PCRE: "/^Host\x3a (?=[a-z0-9]{0,19}[A-Z])(?:(?=[A-Z0-9]{0,19}[a-z])|(?=[A-Za-z]{0,19}\d)|(?=[A-Z]+.))[a-zA-Z0-9]{3,20}[\x2e\x20][a-z]{2,3}\r?$/Hm"
Special Options:
- http_header