""ET TROJAN Dmechant Exfil Cryptowallets via SMTP""

SID: 2033413

Revision: 2

Class Type: trojan-activity

Metadata: created_at 2021_07_25, updated_at 2021_07_25

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: [25,465,587,2525]

Flow: established,to_server

Contents:

• Value: "|0d 0a|Subject|3a 20|Cryptowallets|3a 3a 3a 3a|"

Within:

PCRE:

Special Options:

source