[Snort-users] Babylon RAT sig

James Lay jlay at slave-tothe-box.net
Sat Jun 30 06:38:28 EDT 2018


Blargh:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Babylon
RAT Checkin 1"; flow:established,to_server; dsize:<4; content:"|ba ff
af ff|"; fast_pattern; threshold:type limit, seconds 30, count 1, track
by_src; metadata: former_category TROJAN;
reference:md5,8307b99011d009a34c9eebbfcdc3d01c; classtype:trojan-
activity; sid:XXXXXXX; rev:1; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target
Client_Endpoint, deployment Perimeter, tag RAT, signature_severity
Major, created_at 2018_06_30, malware_family Remcos, performance_impact
Low, updated_at 2018_06_30;)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180630/4a917631/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2018-06-30 04-37-55.png
Type: image/png
Size: 120699 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180630/4a917631/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2018-06-30 04-36-10.png
Type: image/png
Size: 62061 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180630/4a917631/attachment-0001.png>


More information about the Snort-users mailing list