Et rule 2034909 - Magic-SigExplorer

SID: 2034909

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, signature_severity Major, tag RAT, updated_at 2022_01_13

Reference:

md5
1cdc2c0f6834b37da085c0deb9d3461a

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: established,to_server

Contents:

Value: "|db f6 94 f6 9f f6 82 f6 f6 f6|"
Value: "|f6 cc f6|"
Value: "|f6 cc f6|"
Value: "|f6 cc f6|"
Value: "|f6 cc f6|"
Value: "|f6 cc f6|"
Value: "|f6 f6 f6|"

Within: 3

PCRE:

Special Options:

fast_pattern

source

""ET TROJAN APT/Bitter Related CnC Activity""