Rule History

SID: 2046662 • Source: et/open

Versions (8)

Version DetailsCurrent

Rev: 1 • Jun 26, 2023, 12:00 PM

Message:

ET MALWARE [ANY.RUN] Possible Gh0stRat Checkin

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [ANY.RUN] Possible Gh0stRat Checkin"; flow:established,to_client; dsize:24; content:"|78 9c 03 00 00 00 00 01|"; offset:16; depth:8; fast_pattern; flowbits:isnotset,srvrespghostbins; reference:url,any.run/cybersecurity-blog/gh0stbins-chinese-rat-malware-analysis/; classtype:trojan-activity; sid:2046662; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_26, deployment Perimeter, malware_family Gh0stRat, performance_impact Low, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_26, reviewed_at 2024_12_11;)

Created:

Jun 26, 2023, 12:00 PM

Updated:

Jun 26, 2023, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Aug 21, 2025, 9:36 PM

Filename:

rules/emerging-malware.rules