Rule History

SID: 2048901 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 1 • Oct 25, 2023, 12:00 PM

Message:

ET MALWARE [ANY.RUN] zgRAT / PureLogs Stealer C2 Connection M2

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 62520 (msg:"ET MALWARE [ANY.RUN] zgRAT / PureLogs Stealer C2 Connection M2"; flow:established,to_server; stream_size:server,=,1; stream_size:client,=,5; dsize:4; content:"|40 00 00 00|"; fast_pattern; threshold:type limit, track by_src, seconds 360, count 1; reference:md5,2df2d284d6acb134a4af9418117c6149; reference:url,app.any.run/tasks/babf3e14-a0f6-4d13-ac88-d75af6775b60; reference:url,community.emergingthreats.net/t/purelogs-stealer/1059/; classtype:trojan-activity; sid:2048901; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2023_10_25, deployment Perimeter, malware_family zgRAT, malware_family PureLogs_Stealer, performance_impact Low, confidence High, signature_severity Major, tag Stealer, tag InfoStealer, updated_at 2023_12_28; target:src_ip;)

Created:

Oct 25, 2023, 12:00 PM

Updated:

Dec 28, 2023, 12:00 PM

DB Created:

Oct 25, 2023, 9:00 PM

DB Updated:

Aug 4, 2025, 11:35 PM

Filename:

rules/emerging-malware.rules