""ET TROJAN [ANY.RUN] ZharkBOT HTTP CnC Checkin""
SID: 2050279
Revision: 1
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, created_at 2024_01_22, deployment Perimeter, malware_family ZharkBOT, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_01_22
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "GET"
-
Value: "?id="
-
Value: "us="
-
Value: "mn="
-
Value: "os=Windows"
-
Value: "bld="
-
Value: "|a0 28|Windows|a0|NT|a0|10.0|3b a0|Win64|3b a0|x64|29 a0|"
-
Value: !"Referer|3a 20|"
Within:
PCRE: "/\?id=[a-f0-9]{32}&/U"
Special Options:
-
http_method
-
http_uri
-
http_uri
-
http_uri
-
http_uri
-
http_uri
-
http_header
-
fast_pattern
-
http_header