""ET TROJAN Generic AsyncRAT Style SSL Cert""

SID: 2035595

Revision: 7

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, malware_family AsyncRAT, signature_severity Major, updated_at 2022_08_01, reviewed_at 2024_05_06

Reference:

  • md5

  • 7ed7bf7ea7a1551218f73774d28be76c

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: [!5222,!7687]

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

  • Value: !"infinitecampus.com"

  • Value: "|0f 39 39 39 39 31 32 33 31 32 33 35 39 35 39 5a|"

  • Value: "|55 04 03|"

  • Value: !"|55 04 0a|"

  • Value: !"|55 04 0b|"

  • Value: !"|55 04 0c|"

  • Value: !"|03|com"

  • Value: !"|06 03 55 04 03 13 09|localhost"

  • Value: !"|06 03 55 04 03 13 0a|ForFunLabs"

Within:

PCRE: "/^.(?P[\x00-\xff][\x20-\x7f]{1,50})\x30.+?\x55\x04\x03.(?P=servercert)\x30/Rsi"

Special Options:

  • fast_pattern

source