Rule History

SID: 10014379 • Source: ptrules/open

Versions (3)

Version DetailsCurrent

Rev: 2 • Oct 9, 2025, 2:49 PM

Message:

BANKER [PTsecurity] Creduz Android Exfiltration

Rule:

alert http any any -> any any (msg:"BANKER [PTsecurity] Creduz Android Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/message"; startswith; endswith; http.header; content:"gzip"; content:"okhttp/"; content:!"Referer|3a|"; http.request_body; content:"name=|22|worker|22|"; depth:500; content:"name=|22|hashtag|22|"; distance:0; content:"name=|22|number|22|"; distance:0; content:"[SIM1|3a|"; distance:0; threshold:type limit, track by_dst, seconds 120, count 1; reference:url, tria.ge/250729-1z4tassqy6/behavioral3; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10014379; rev:2;)

Created:

Oct 9, 2025, 2:49 PM

Updated:

Nov 21, 2025, 12:35 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Dec 4, 2025, 9:34 PM

Filename:

rules/ptopen-malware.rules