ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Check-in)

SID: 2046152Rev: 24 viewsHistory

Sourceet/open

CreatedJune 7, 2023

UpdatedMarch 4, 2024

Classificationtrojan-activity

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Check-in)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Config|3a 20|HWID|0d 0a|"; content:"X-Session|3a 20|"; pcre:"/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R"; content:"X-ID|3a 20|"; pcre:"/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R"; http.header_names; content:"X-Session|0d 0a|X-Info|0d 0a|X-Config|0d 0a|X-ID"; fast_pattern; reference:md5,c28cc92a7c78b96bec58fa3e5398074a; reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/; reference:url,twitter.com/Jane_0sint/status/1666019485583659008; reference:url,community.emergingthreats.net/t/observerstealer/624; classtype:trojan-activity; sid:2046152; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_07, deployment Perimeter, deprecation_reason Duplicate, malware_family ObserverStealer, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_04;)

References

md5	c28cc92a7c78b96bec58fa3e5398074a Google Search Brave Search
url	app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/
url	twitter.com/Jane_0sint/status/1666019485583659008
url	community.emergingthreats.net/t/observerstealer/624

Metadata

affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit

attack targetClient_Endpoint

created at2023_06_07

deploymentPerimeter

deprecation reasonDuplicate

malware familyObserverStealer

confidenceHigh

signature severityCritical

tagDescription_Generated_By_Proofpoint_Nexus

updated at2024_03_04

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!