ET MALWARE MaskGramStealer CnC Checkin (GET)

SID: 2069169Rev: 11 views

Sourceet/open

CreatedMay 5, 2026

UpdatedMay 5, 2026

Classificationcommand-and-control

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MaskGramStealer CnC Checkin (GET)"; flow:established,to_server; flowbits:set,ET.MaskGramStealer; http.method; content:"GET"; http.uri; bsize:49; pcre:"/^\x2f(?:[a-z0-9]{32})\x2f(?:[a-z0-9]{15})$/"; http.user_agent; bsize:10; content:"Client/1.0"; http.header; content:"connection|3a 20|keep|2d|alive|0d 0a|user|2d|agent|3a 20|client|2f|1|2e|0|0d 0a|host|3a 20|"; nocase; fast_pattern; reference:md5,5bf89d8f8e9fb53d1e31ff475e987407; classtype:command-and-control; sid:2069169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_05_05, deployment Perimeter, deployment SSLDecrypt, malware_family MaskGramStealer, confidence High, signature_severity Critical, tag c2, updated_at 2026_05_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:src_ip;)

References

md5	5bf89d8f8e9fb53d1e31ff475e987407 Google Search Brave Search

Metadata

affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit

attack targetClient_Endpoint

tls stateTLSDecrypt

created at2026_05_05

deploymentSSLDecrypt

malware familyMaskGramStealer

confidenceHigh

signature severityCritical

tagc2

updated at2026_05_05

mitre tactic idTA0011

mitre tactic nameCommand_And_Control

mitre technique idT1071

mitre technique nameApplication_Layer_Protocol

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!