🐾 - ⚠ Suspicious TLSv1 connection from 🪟 Windows 10 socket to public IP address - Seen in march 2023 on 👿 Emotet C2 dialog - Suricata Rule 3300718 (pawpatrules)

🐾 - ⚠ Suspicious TLSv1 connection from 🪟 Windows 10 socket to public IP address - Seen in march 2023 on 👿 Emotet C2 dialog

SID: 3300718Rev: 20 views

Sourcepawpatrules

CreatedMarch 18, 2023

UpdatedMarch 18, 2023

Classificationtrojan-activity

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - ⚠ Suspicious TLSv1 connection from 🪟 Windows 10 socket to public IP address - Seen in march 2023 on 👿 Emotet C2 dialog"; flow:to_server, stateless; content:"|16 03 01 00 63 01 00 00 5f 03 01 64|"; content:"|c0 09 c0 14 c0 13 00 35 00 2f 00 0a 01 00 00 28 00 05 00 05 01 00 00 00 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 0b 00 02 01 00 00 23 00 00 00 17 00 00 ff 01 00 01 00|"; fast_pattern; distance:36; ja3.hash; content:"49ed2ef3f1321e5f044f1e71b0e6fdd5"; metadata:former_category JA3; reference:url,https://bazaar.abuse.ch/sample/a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968/; metadata:created_at 2023_03_18, updated_at 2023_03_18; sid:3300718; rev:2; classtype:trojan-activity;)

References

url	https://bazaar.abuse.ch/sample/a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968/

🐾 - ⚠ Suspicious TLSv1 connection from 🪟 Windows 10 socket to public IP address - Seen in march 2023 on 👿 Emotet C2 dialog

References

Metadata

Comments (0)