""ET TROJAN Win32/Sync-Scheduler Stealer Activity (POST)""

SID: 2051842

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_03_29, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2024_03_29

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: ".php"

  • Value: "Accept|3a 20|multipart/*|0d 0a|" Depth: 21

  • Value: "Content-Disposition: form-data|3b 20|name=|22|file|22 3b 20|filename=|22 20|"

  • Value: "Content-Type|3a 20|text/plain|3b 22 3b|"

  • Value: !"Referer|3a 20|"

Within:

PCRE: "/.php$/U"

Special Options:

  • http_method

  • http_uri

  • http_header

  • fast_pattern

  • http_client_body

  • http_client_body

  • http_header

source