Et rule 2044925 - Magic-SigExplorer

""ET TROJAN Win32/Agartha Stealer Activity via Telegram (Response)""

SID: 2044925

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2023_04_12, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Major, updated_at 2023_04_12

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "|7b 22 6f 6b 22 3a 74 72 75 65 2c|" Depth: 11
Value: "|66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 67 61 72 74 68 61 43 72 79 70 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 41 67 61 72 74 68 61 43 72 79 70 74 42 6f 74 22 7d 2c|"

Within:

PCRE:

Special Options:

file_data
fast_pattern

source