On Fri, Jun 29, 2018 at 8:44 PM, James Lay via Snort-sigs <snort-sigs@lists.snort.org> wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Remcos RAT Checkin 22"; flow:established,to_server; dsize:<500; content:"|57 40 cb 6d e6 5f 6d 51 4e e7 62|"; depth:11; fast_pattern; content:"|dd ec|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,3aa4743d13b7de4437e52a5fbda2e799; classtype:trojan-activity; sid:XXXXXXXXX; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_06_29, malware_family Remcos, performance_impact Low, updated_at 2018_06_29;)

265173fbff235330fd50e1d41fb6c2efc2ef523eeacc774ce618b247ee97b140 on HA

Hiya James,

Thanks for submitting this rule. We will review and test the rule and get back to you when it's finished.


Marcos Rodriguez
Cisco Talos