""ET TROJAN Win32/keyzetsu Stealer Variant Exfil via Telegram (Response)""
SID: 2044693
Revision: 1
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2023_03_20, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_03_20
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "|7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a|" Depth: 20
-
Value: "|2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 64 61 6d 61 68|"
-
Value: "|5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a|"
Within: 20
PCRE:
Special Options:
-
file_data
-
fast_pattern