""ET TROJAN Arkei/Vidar/Mars Stealer Variant Data Exfiltration Attempt""

SID: 2038525

Revision: 1

Class Type: trojan-activity

Metadata: created_at 2022_08_15, updated_at 2022_08_15

Reference:

• md5

• 844ab1b8a2db0242a20a6f3bbceedf6b

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "POST"

• Value: "/winsock"

• Value: !"Referer|3a 20|"

• Value: "Content-Disposition|3a 20|form-data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|fname|22|"

• Value: "PK|03 04|"

• Value: "ProcList.txt"

• Value: "Content-Disposition|3a 20|form-data|3b 20|name|3d 22|hwid|22 0d 0a 0d 0a|"

Within:

PCRE:

Special Options:

• http_method

• fast_pattern

• http_uri

• http_header

• http_client_body

• http_client_body

• http_client_body

• http_client_body

source