ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (END)
Sourceet/open
Fileemerging-malware.rules
CreatedJune 7, 2023
UpdatedApril 27, 2024
Classificationtrojan-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (END)"; flow:established,to_server ; http.method; content:"POST"; http.request_header; header_lowercase; bsize:13; content:"x-config|3a 20|END"; http.request_header; header_lowercase; content:"x-session|3a 20|"; startswith; pcre:"/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R"; http.request_header; header_lowercase; content:"x-id|3a 20|"; startswith; pcre:"/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R"; http.header_names; to_lowercase; content:"x-session|0d 0a|x-info|0d 0a|x-config|0d 0a|x-id|0d 0a|"; fast_pattern; reference:md5,c28cc92a7c78b96bec58fa3e5398074a ; reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/ ; reference:url,community.emergingthreats.net/t/observerstealer/624 ; reference:url,twitter.com/Jane_0sint/status/1666019485583659008 ; classtype:trojan-activity; sid:2046154; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_07, deployment Perimeter, malware_family ObserverStealer, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_27;)
References
Metadata
affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit
attack targetClient_Endpoint
created at2023_06_07
deploymentPerimeter
malware familyObserverStealer
confidenceHigh
signature severityCritical
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_04_27
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!