Et rule 2036601 - Magic-SigExplorer

""ET CURRENT_EVENTS Possible Cryptowallet Mining Pool Scam Landing Page""

SID: 2036601

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, signature_severity Major, updated_at 2022_05_17

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "200"
Value: "d|20 3d 20|navigator|2e|userAgent"
Value: "return|20|d|2e|includes|28 22|hbWallet|22 29 20 3f 20 22|"
Value: "|22 20 3a 20|d|2e|includes|28 22|coinbase|22 29 20 3f 20 22|Coinbase"
Value: "|22 20 3a 20|d|2e|includes|28 22|CriOS|22 29 20 3f 20 22|MetaMask"
Value: "|22 20 3a 20|d|2e|includes|28 22|imToken|22 29 20 3f 20 22|imToken"
Value: "|22 20 3a 20|d|2e|includes|28 22|bitpie|22 29 20 3f 20 22|"
Value: "|22 20 3a 20|d|2e|includes|28 22|TokenPocket|22 29 20 3f 20 22|TokenPocket"

Within:

PCRE:

Special Options:

http_stat_code
file_data
fast_pattern

source