Whomever created these trojan connection attempts snort alert didn't include documentation.
(1:41033) MALWARE-CNC Win.Trojan.Proteus outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proteus outbound connection"; flow:to_server,established; content:"/api/register"; fast_pattern:only; http_uri; content:"{|22|m|22|:|22 5C 5C|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2/analysis/; classtype:trojan-activity; sid:41033; rev:1; )
If I had to guess I think it's related to this link per the virustotal comments botnet Proteus or something similar which stated.
It appears to make callouts to an api for the C&C server. It appears to have keyloggers capabilities among other things.
The virus total link above shows several generic hits like Trojan.KeyLogger, TrojanDropper.Dapato, Win32.Trojan.WisdomEyes,Trojan.Dynamer, etc.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment