Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vector Stealer Sending System Information via Telegram (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; startswith; http.host; content:"api.telegram.org"; bsize:16; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d|document|3b 20|filename|3d|"; content:"|2d|dump|2e|txt|0d 0a 0d 0a|Username|3a 20|"; distance:0; content:"|0d 0a|Machine Name|3a 20|"; distance:0; content:"|0d 0a|OS|3a 20|"; distance:0; content:"|0d 0a|Bits|3a 20|"; distance:0; content:"|20|Bit|0d 0a|Antivirus|28|s|29 20|active|3a 20|"; distance:2; within:27; fast_pattern; reference:md5,24f2bf961c5ebc9007ba75b6f029388b; reference:url,twitter.com/James_inthe_box/status/1633503622381322242; classtype:trojan-activity; sid:2044527; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_03_08, deployment Perimeter, deployment SSLDecrypt, malware_family VectorStealer, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_26, reviewed_at 2023_11_28; target:src_ip;)