Et rule 2049122 - Magic-SigExplorer

""ET TROJAN Bandit Stealer Config Inbound""

SID: 2049122

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_08, deployment Perimeter, deployment SSLDecrypt, malware_family Bandit_Stealer, confidence High, signature_severity Major, updated_at 2023_11_08, reviewed_at 2023_11_08

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "|23 20|The|20|list|20|of|20|blacklisted|20|IP|20|addresses|20|and|20|MAC|20|addresses"
Value: "blackListedIPS|20 3d 20 5b|"
Value: "blackListedMacs|20 3d 20 5b|"
Value: "blacklisted|20 5f|users|20 3d 20 5b|"
Value: "blackListedPCNames|20 3d 20 5b|"
Value: "blacklisted|20 5f|processes|20 3d 20 5b|"

Within:

PCRE:

Special Options:

source