""ET TROJAN Win32/MagicRAT CnC Checkin M2""
SID: 2038766
Revision: 1
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2022_09_07, deployment Perimeter, malware_family MagicRAT, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_09_07
Reference:
-
md5
-
b4c9b903dfd18bd67a3824b0109f955b
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "POST"
-
Value: "/adm_bord/login_new_check.php "
-
Value: "boundary|3d 22|boundary_.oOo._"
-
Value: "--boundary_.oOo._" Depth: 17
-
Value: "name|3d 22|type|22 3b|"
-
Value: "name|3d 22|id|22 3b 0d 0a 0d 0a|"
-
Value: "name|3d 22|session|22 3b 0d 0a 0d 0a|"
-
Value: "name|3d 22|file|22 3b 20|filename|3d 22|"
-
Value: "information|24 24 24|"
-
Value: !"Referer"
Within:
PCRE: "/filename\=\"[a-f0-9]{32}.gif\"/P"
Special Options:
-
http_method
-
http_uri
-
http_header
-
http_client_body
-
http_client_body
-
http_client_body
-
\x0d\x0a\x0d\x0a[a-f0-9]{32}/P"
-
http_client_body
-
\x0d\x0a\x0d\x0a[a-z0-9]{19}/P"
-
http_client_body
-
http_client_body
-
fast_pattern
-
http_header