Rule History

alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/CrimsonRAT Activity (Outbound)"; flow:established,to_server; dsize:100<>150; content:"|00 00 00 00|"; offset:1; depth:4; content:"|79 32|"; distance:2; within:2; content:"|3d|"; distance:2; within:3; content:"|7c 7c|"; distance:0; content:"|3e|"; distance:1; within:1; content:"|7c 7c 43 3a 5c 55 73 65 72 73 5c|"; distance:12; within:11; fast_pattern; reference:md5,e55e497ceadd037254e847187b6996da; reference:url,twitter.com/RedDrip7/status/1622908094606094338; classtype:trojan-activity; sid:2044148; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_02_08, deployment Perimeter, malware_family CrimsonRAT, performance_impact Significant, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_08; target:src_ip;)