""ET TROJAN BleachGap Ransomware Checkin (POST)""

SID: 2033902

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, tag Ransomware, updated_at 2021_09_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact

Reference:

  • md5

  • 4809f621c6dbaf0c93f1a92def0f592e

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "|22|username|22 3a 20 22|BleachGap|20|"

  • Value: "|22|name|22 3a 20 22|Hacker$quad|22|"

  • Value: "discord.gg"

Within:

PCRE:

Special Options:

  • http_method

  • http_client_body

  • http_client_body

  • http_client_body

source