Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/nstealer CnC Exfiltration (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"filename|3d 22|NS|2d|"; pcre:"/^(?:[0-9]{11})\x2ezip\x22\x0d\x0a/R"; content:"|0d 0a 0d 0a 50 4b|"; content:"filename|3d 22|NS|2d|"; pcre:"/^(?:[0-9]{11})\x2ezip\x22\x0d\x0a/R"; content:"|2f|Autofills|2f 50 4b|"; fast_pattern; content:"|2f|InstalledSoftware|2e|txt"; reference:md5,7a2bcc01232927019008d880a4c71426; reference:url,community.emergingthreats.net/t/nstealer-v2/974; classtype:trojan-activity; sid:2048229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_09_25, deployment Perimeter, deployment SSLDecrypt, malware_family Nstealer, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_09_25, reviewed_at 2023_09_25;)