Rule History

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CrimsonRAT Host Details Exfil"; flow:established,to_server; content:"|12 00 00 00 00|"; startswith; content:"|7c 7c 20 7c 7c|C|3a 5c|Users"; fast_pattern; reference:md5,da2331ac3e073164d54bcc5323cf0250; reference:url,twitter.com/0xrb/status/1795362130281324685; classtype:trojan-activity; sid:2052908; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_05_28, deployment Perimeter, malware_family CrimsonRAT, confidence High, signature_severity Critical, updated_at 2024_05_28;)