Versions (2)
Version DetailsCurrent
Rev: 1 • Jul 2, 2024, 12:00 PMET MALWARE TA427 Outlook Stealer Loader
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA427 Outlook Stealer Loader"; flow:established,to_client; http.response_body; content:"CreateObject|28 22|Scripting|2e|FileSystemObject|22 29|"; content:"CreateObject|28 22|WScript|2e|Shell|22 29|"; content:"Function|20|Stream|5f|BinaryToString|28|Binary|29|"; content:"Const|20|adTypeText|20 3d 20|2"; content:"Set|20|BinaryStream|20 3d 20|CreateObject|28 22|ADODB|2e|Stream|22 29|"; fast_pattern; content:"|27|Specify|20|stream|20|type|20 2d 20|we|20|want|20|To|20|save|20|binary|20|data|2e|"; content:"CreateObject|28 22|Msxml2|2e|DOMDocument|2e|3|2e|0|22 29|"; content:"SpecialFolders|28 22|appdata|22 29|"; content:"BinaryStream|2e|CharSet|20 3d 20 22|Windows|2d|1252|22|"; reference:url,twitter.com/asdasd13asbz/status/1808047304714473623; classtype:trojan-activity; sid:2054223; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_07_02, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_02;)
Jul 2, 2024, 12:00 PM
Jul 2, 2024, 12:00 PM
Jul 2, 2024, 10:01 PM
Aug 11, 2025, 10:35 PM
rules/emerging-malware.rules