Versions (3)
Version DetailsCurrent
Rev: 6 • Jul 20, 2015, 12:00 PMET MALWARE KeyBase Keylogger Uploading Screenshots
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/upload.php"; fast_pattern; http.request_body; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\x3b\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:6; metadata:created_at 2015_07_20, deprecation_reason Age, signature_severity Major, updated_at 2024_03_28, reviewed_at 2024_03_28;)
Jul 20, 2015, 12:00 PM
Mar 28, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-malware.rules