""ET TROJAN Win32/SaintStealer Data Exfiltration Attempt M2""

SID: 2039022

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_09_27, deployment Perimeter, malware_family SaintStealer, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_09_28

Reference:

  • md5

  • 3659201ce95a682f5e2b6c019342b0e4

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "/receive.php?"

  • Value: !"User-Agent|3a 20|"

  • Value: !"Referer|3a 20|"

  • Value: "Content-Disposition|3a 20|form-data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|"

  • Value: "|40|"

  • Value: "|0d 0a 0d 0a|PK|03 04|"

  • Value: "|00 00 00|"

  • Value: "Screenshot.jpg"

Within: 300

PCRE: "/filename\x3d\x22[^\@]+\@[A-F0-9]{32}.zip\x22/P"

Special Options:

  • http_method

  • http_uri

  • http_header

  • http_header

  • http_client_body

  • http_client_body

  • http_client_body

  • http_client_body

  • http_client_body

  • fast_pattern

source