Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhiteSnake Stealer Sending Data to Telegram (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; startswith; content:"/sendDocument?chat_id="; distance:0; content:"&caption="; distance:0; http.host; content:"api.telegram.org"; bsize:16; http.request_body; content:"name=|22|document|22 3b|"; content:"_report.wsr|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|WSR"; distance:0; fast_pattern; reference:url,twitter.com/suyog41/status/1628373761807511553; reference:md5,716d01d18140ec5e18b1a15c17fb213f; classtype:trojan-activity; sid:2044309; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_02_23, deployment Perimeter, deployment SSLDecrypt, malware_family Gurcu, malware_family WhiteSnake, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_26, reviewed_at 2023_11_28; target:src_ip;)