security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4125 from X-Junior/new_malware_ua

Browse Source 
feat : new malware UA
This commit is contained in:
phantinuss
2023-03-21 08:59:53 +01:00
committed by GitHub
parent a035aa0385 eb5d96f270
commit 664d4b7b3e
1 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/web/proxy_generic/proxy_ua_malware.yml
+17 -1
View File
@@ -11,7 +11,7 @@ references:
- https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
author: Florian Roth (Nextron Systems)
date: 2017/07/08
modified: 2023/01/22
modified: 2023/03/20
tags:
- attack.command_and_control
- attack.t1071.001
@@ -92,6 +92,22 @@ detection:
- 'qwrqrwrqwrqwr' # Racoon Stealer
- 'rc2.0/client' # Racoon Stealer
- 'TakeMyPainBack' # Racoon Stealer
- 'xxx' # Racoon Stealer
- '20112211' # Racoon Stealer
- '23591' # Racoon Stealer
- '901785252112' # Racoon Stealer
- '1235125521512' # Racoon Stealer
- '125122112551' # Racoon Stealer
- 'B1D3N_RIM_MY_ASS' # Racoon Stealer
- 'Ares_ldr_v_*' # AresLoader
# - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
- 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
- 'CLCTR' # https://github.com/silence-is-best/c2db
- 'uploader' # https://github.com/silence-is-best/c2db
- 'agent' # https://github.com/silence-is-best/c2db
- 'License' # https://github.com/silence-is-best/c2db
- 'vb wininet' # https://github.com/silence-is-best/c2db
- 'Client' # https://github.com/silence-is-best/c2db
condition: selection
fields:
- ClientIP