[Snort-sigs] Win.Trojan.Tiggre

Y M snort at outlook.com
Mon Feb 19 13:26:41 EST 2018


Hi,


This one for detecting Tiggre (aka SilverStart). Pcap is available.


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Tiggre - SilverStar - outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/api.php?"; fast_pattern:only; content:"response="; http_uri; content:"&cpu="; http_uri; content:"&gpu="; http_uri; content:"&ram="; http_uri; metadata:ruleset community, service http; content:!"User-Agent"; http_header; content:!"Referer"; http_header; reference:url,www.virustotal.com/#/file/3f751799a501532f43ca5f12fe80aa0bad78f9f5d57e76bf49b401bb99f355df/detection; classtype:trojan-activity; sid:9000038; rev:1;)


Thank.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180219/d74cc557/attachment-0001.html>


More information about the Snort-sigs mailing list