ET MALWARE [ANY.RUN] BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M2
Sourceet/open
Fileemerging-malware.rules
CreatedJanuary 30, 2024
UpdatedJanuary 30, 2024
Classificationcommand-and-control
alert tcp any any -> any 443 (msg:"ET MALWARE [ANY.RUN] BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M2"; flow:established,to_server ; dsize:271<>337; stream_size:server, =, 1 ; stream_size:client, >, 272 ; stream_size:client, <, 337 ; content:"|17 03 03 01|"; depth:5; byte_test:1, >, 15, 0, relative ; byte_test:1, <, 49, 0, relative ; content:"|01|"; offset:5; depth:256; byte_test:1, =, 1, 15, relative ; byte_test:1, =, 1, 31, relative ; reference:url,community.emergingthreats.net/t/toneshell-rules/1328 ; reference:md5,7e8f8043fe50cb6ce19b41a6e979a02f ; reference:url,community.emergingthreats.net/t/toneshell-rules/1328 ; reference:url,app.any.run/tasks/6d271aa7-302c-4f3b-8cde-2fade4caa2f6 ; classtype:command-and-control; sid:2050598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_30, deployment Perimeter, malware_family Toneshell, confidence Medium, signature_severity Major, tag TA416, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_30;)
References
Metadata
affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit
attack targetClient_Endpoint
created at2024_01_30
deploymentPerimeter
malware familyToneshell
confidenceMedium
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_01_30
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!