""ET TROJAN Win32/keyzetsu Stealer exfil via Telegram (Response)""
SID: 2044692
Revision: 2
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2023_03_20, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Critical, updated_at 2023_05_30
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "|7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a|" Depth: 34
-
Value: "|22 75 73 65 72 6e 61 6d 65 22 3a 22 6b 65 79 7a 65 74 73 75 5f 62 6f 74 22 7d|"
Within:
PCRE:
Special Options:
-
file_data
-
fast_pattern