""ET TROJAN MintStealer CnC Activity (POST)""
SID: 2043225
Revision: 1
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_01_05, deployment Perimeter, signature_severity Major, updated_at 2023_01_05
Reference:
-
md5
-
09f41a8c80ff0f738053a45de742f2cf
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow:
Contents:
-
Value: "POST"
-
Value: "/api/won"
-
Value: "User-Agent|3a 20|axios/"
-
Value: "|22|hostname|22 3a|"
-
Value: "|22|ip|22 3a|"
-
Value: "|22|passwords|22 3a|"
-
Value: "|22|cookies|22 3a|"
-
Value: "|22|cards|22 3a|"
-
Value: "|22|autofills|22 3a|"
-
Value: "|22|metamask_recovery|22 3a|"
-
Value: "|22|extensions|22 3a|"
-
Value: "|22|cold_wallets|22 3a|"
-
Value: "|22|sysadmin|22 3a|"
-
Value: "|22|vpn|22 3a|"
-
Value: "|22|messengers|22 3a|"
-
Value: "|22|games|22 3a|"
-
Value: "|22|path|22 3a|"
-
Value: "|22|discords|22 3a|"
-
Value: "|22|minecrafts|22 3a|"
-
Value: "|22|size|22 3a|"
-
Value: "|22|key|22 3a|"
Within:
PCRE:
Special Options:
-
http_method
-
http_uri
-
fast_pattern
-
http_header
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body
-
http_client_body