""ET TROJAN Win32/Nivdort Checkin""

SID: 2025020

Revision: 5

Class Type: trojan-activity

Metadata: created_at 2015_02_12, updated_at 2023_05_19, reviewed_at 2024_03_26

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "GET"

  • Value: ".php?email="

  • Value: "&method=post"

  • Value: !"User-Agent|3a|"

  • Value: !"Accept-"

  • Value: !"Referer|3a|"

  • Value: " HTTP/1.0|0d 0a|"

Within:

PCRE:

Special Options:

  • http_method

  • http_uri

  • http_uri

  • http_header

  • http_header

  • http_header

source