On Wed, 22 Apr 2020, Giovanni Bechis wrote:
On 4/22/20 5:43 PM, Henrik K wrote:
I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
are, will look more indepth later..
you have been faster, I have the same diff on my tree and I was going to commit
it :-)
The
On Wed, 22 Apr 2020 16:11:48 +0200
Brent Clark wrote:
> Good day Guys
>
> I would like to ask it someone could help write a rule for the
> following base64 encoded sextorsion.
The obfuscation is the use of unicode mathmatical sans-serif
characters rather than the encoding, which is
On 4/22/20 5:43 PM, Henrik K wrote:
>
> I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
> are, will look more indepth later..
>
you have been faster, I have the same diff on my tree and I was going to commit
it :-)
Giovanni
> For example replace_tag A
I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
are, will look more indepth later..
For example replace_tag A [\xf0][\x9d][\x97][\xae]
Now your example hits atleast these rules
3.6 FUZZY_BITCOIN BODY: Obfuscated "Bitcoin"
1.0 BITCOIN_EXTORT_02
I want to add, I tried this as well, and it *did* match. But it feels
clunky.
https://pastebin.com/raw/7FaqnByB
Regards
Brent
On 2020/04/22 16:14, Brent Clark wrote:
Sorry in that example I copied body.
I tried rawbody and body.
Regards
Brent
On 2020/04/22 16:11, Brent Clark wrote:
Good
Sorry in that example I copied body.
I tried rawbody and body.
Regards
Brent
On 2020/04/22 16:11, Brent Clark wrote:
Good day Guys
I would like to ask it someone could help write a rule for the following
base64 encoded sextorsion.
https://pastebin.com/raw/MWYmfkuh
I tried using rawbody.
Good day Guys
I would like to ask it someone could help write a rule for the following
base64 encoded sextorsion.
https://pastebin.com/raw/MWYmfkuh
I tried using rawbody. But it was proving to not work and be the right
solution. Below is it me testing.
i.e.
body BASESEX
