Rule History

SID: 10012100 • Source: ptrules/open

Versions (3)

Rev: 2

Mar 2, 2026, 1:34 PM

Current

Rev: 2

Oct 16, 2025, 10:34 AM

Version Details

Rev: 1 • Nov 28, 2024, 12:14 PM

Message:

STEALER [PTsecurity] WorldWind exfiltration

Rule:

alert tcp any any -> any any (msg:"STEALER [PTsecurity] WorldWind exfiltration"; flow:established, to_server; stream_size:server, =, 1; content:!"|00 00|"; depth:2; content:"|00 00|"; offset:2; depth:2; content:"{|22|id|22 3a|"; within:8; content:"|22|filename|22 3a|"; within:16; content:".txt"; within:24; content:"|22|content|22 3a|"; within:16; content:!"|20|"; distance:1; content:!","; distance:0; content:!"."; distance:0; content:!"|00|"; distance:0; reference:url, https://www.virustotal.com/gui/file/84d52de2b69e14f26259da07297e02eb2c4ac32045a690f65a267fe931da0433/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10012100; rev:1;)

Created:

Nov 28, 2024, 12:14 PM

Updated:

Nov 28, 2024, 12:14 PM

DB Created:

Dec 3, 2024, 4:43 PM

DB Updated:

Dec 3, 2024, 4:43 PM

Archived:

Jun 6, 2025, 2:34 PM

Filename:

rules/ptopen-malware.rules