""ET TROJAN Win32/APT28 Host Fingerprint Exfiltration via IMAP""
SID: 2037090
Revision: 1
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22
Reference:
-
md5
-
d3bddb5de864afd7e4f5e56027f4e5ea
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: 143
Flow: established,to_server
Contents:
-
Value: "|24 20|APPEND|20|INBOX|20 7b|" Depth: 16
-
Value: "M_report|0d 0a|"
Within: 10
PCRE: "/Subject\x3a[0-9]{1,2}\x2f[0-9]{1,2}\x2f[0-9]{4}\x20[0-9]{1,2}\x3a[0-9]{1,2}\x3a[0-9]{2}\x20[AP]/R"
Special Options:
- fast_pattern