malwareforme/gist:816819b7a130304de0bfa6cb800ee868

## gistfile1.txt
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater RAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|tid|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|apiData|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 3b 20|filename=|22|data|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; reference:url,www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; reference:md5,a70d6bbf2acb62e257c98cb0450f4fec; sid:1602; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Non-standard User-Agent (example/1.0)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|example/1.0"; nocase; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:1603; rev:1;)

02/01/2022-13:14:26.942404  [**] [1:1602:1] ET MALWARE StrifeWater RAT CnC Activity [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 10.127.1.186:49692 -> 87.120.8.210:80
02/01/2022-13:14:26.942404  [**] [1:1604:1] ET USER_AGENTS Observed Non-standard User-Agent (example/1.0) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.127.1.186:49692 -> 87.120.8.210:80

Article: https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations
Sample run: https://tria.ge/220201-yze4tsbcal/behavioral2
	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater RAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition\|3a 20\|form-data\|3b 20\|name=\|22\|token\|22\|"; content:"Content-Disposition\|3a 20\|form-data\|3b 20\|name=\|22\|tid\|22\|"; content:"Content-Disposition\|3a 20\|form-data\|3b 20\|name=\|22\|apiData\|22\|"; content:"Content-Disposition\|3a 20\|form-data\|3b 20\|name=\|22\|data\|22 3b 20\|filename=\|22\|data\|22 0d 0a\|Content-Type\|3a 20\|application/octet-stream\|0d 0a\|"; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; reference:url,www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; reference:md5,a70d6bbf2acb62e257c98cb0450f4fec; sid:1602; rev:1;)

	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Non-standard User-Agent (example/1.0)"; flow:established,to_server; http.header; content:"User-Agent\|3a 20\|example/1.0"; nocase; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:1603; rev:1;)

	02/01/2022-13:14:26.942404 [] [1:1602:1] ET MALWARE StrifeWater RAT CnC Activity [] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 10.127.1.186:49692 -> 87.120.8.210:80
	02/01/2022-13:14:26.942404 [] [1:1604:1] ET USER_AGENTS Observed Non-standard User-Agent (example/1.0) [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.127.1.186:49692 -> 87.120.8.210:80

	Article: https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations
	Sample run: https://tria.ge/220201-yze4tsbcal/behavioral2