Back to Rule

Rule History

SID: 10013752 • Source: ptrules/open

Versions (6)

Rev: 1
Oct 16, 2025, 10:34 AM
Current
Rev: 1
Oct 7, 2025, 5:34 PM
Archived
Rev: 1
Jul 14, 2025, 6:34 AM
Archived
Rev: 1
Jun 19, 2025, 11:34 AM
Archived
Rev: 1
Jun 11, 2025, 11:34 AM
Archived
Rev: 1
Jun 10, 2025, 5:34 PM
Archived

Version Details

Rev: 1Jul 3, 2025, 12:04 AM

BACKDOOR [PTsecurity] Filsh

alert http any any -> any any (msg:"BACKDOOR [PTsecurity] Filsh"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/saveToXLS"; startswith; endswith; http.header; content:"User-Agent|3a| Go-http-client/"; content:"Content-Type|3a| application/json"; content:"Accept-Encoding|3a| gzip"; content:!"Referer"; http.request_body; content:"{|22|computer_name|22 3a 22|"; startswith; content:"|22|user"; distance:0; content:"|22|ip"; content:"|22|mac"; content:"|22|current_time|22 3a|"; content:"|22|cpu"; content:"|22|screenshot_desktop|22 3a|"; fast_pattern; reference:url, www.virustotal.com/gui/file/68b594364c49de20f54d4e94c45c31d26646fdfef924c2c1d7eb7f8c6e0f9ec9/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10013752; rev:1;)

Jul 3, 2025, 12:04 AM

Jul 3, 2025, 12:04 AM

Jul 14, 2025, 6:34 AM

Jul 14, 2025, 6:34 AM

Oct 7, 2025, 3:37 PM

rules/ptopen-malware.rules