""ET TROJAN Win32/LeftHook Stealer Browser Extension Config Inbound""
SID: 2045001
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_04_17, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_12_13
Reference:
-
md5
-
43967615d9e0e19bc59d32fdb5afd7e4
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "|3c|s|3a|Envelope|20|xmlns|3a|s|3d 22|http|3a 2f 2f|schemas|2e|xmlsoap|2e|org|2f|soap|2f|envelope|2f 22 3e|"
-
Value: "|3c|a|3a|BlockedCountry"
-
Value: "|3c|a|3a|BlockedIP"
-
Value: "|3c|a|3a|ScanBrowsers|3e|"
-
Value: "|3c|a|3a|ScanChromeBrowsersPaths"
-
Value: "|3c|a|3a|ScanDiscord|3e|"
-
Value: "|3c|a|3a|ScanScreen|3e|"
-
Value: "|3c|a|3a|ScanSteam|3e|"
-
Value: "|3c|a|3a|ScanVPN|3e|"
-
Value: "|3c|a|3a|ScanWallets|3e|"
Within:
PCRE:
Special Options:
-
file_data
-
fast_pattern