[Snort-sigs] Win.Trojan.Ammyy RAT

Y M snort at outlook.com
Fri May 25 14:53:15 EDT 2018


Hi,

Pcap is available for this one.

# --------------------
# Date: 2018-05-26
# Title: Win.Trojan.Ammyy RAT
# Tests: pcap
# Reference: https://app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df, https://www.virustotal.com/#/file/bab69fb29c167451608f0840ede9dfb4c3c52fa0da5f38089ac7f2afbd94d867/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Ammyy RAT outbound connection"; flow:to_server,established; content:"&priv="; content:"&cred="; fast_pattern:only; content:"&pcname="; content:"&avname="; content:"&build_time="; metadata:ruleset community; reference:url,www.virustotal.com/#/file/bab69fb29c167451608f0840ede9dfb4c3c52fa0da5f38089ac7f2afbd94d867/detection; classtype:trojan-activity; sid:8000062; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180525/012ab6c4/attachment.html>


More information about the Snort-sigs mailing list