{ "id": "3d50d0bd-8c3f-4906-9328-0cc432441f94", "created_at": "2026-04-06T00:08:24.35747Z", "updated_at": "2026-04-10T03:34:22.535572Z", "deleted_at": null, "sha1_hash": "4e9c0663e2dcebc58b9f4277c7531a39078cbd92", "title": "How to stop MortiAgent Malware using the snort rule ?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37778, "plain_text": "How to stop MortiAgent Malware using the snort rule ?\r\nPublished: 2020-05-07 ยท Archived: 2026-04-05 20:42:41 UTC\r\nI want to stop the MortiAgent malware by applying /using snort rule \u0026 also using yara rule?\r\nHow to configure this in Palo alto ?\r\nBelow are snort \u0026 Yara Rules:\r\n1. The below SNORT rule can be used to detect the MoriAgent Beacon.\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\" MoriAgent Beacon\r\nHTTP Request\"; content:\"/Index.php?i=\"; depth:200; content:\"\u0026t=\"; within:64;\r\ncontent:\"HTTP/1.1\"; within:64; content:\"Content-Type: application/json\"; within:32;\r\ncontent:\"Content-Length: 0\"; within:90; threshold:type limit,track by_src,count\r\n1,seconds 120; sid:1000001; rev:001;)\r\n2. Below are YARA rules to detect POWERSTATS.\r\nYARA rule to detect the substitution table used in PowerShell code.\r\nrule SubstitutionTable_in_PowerShell {\r\nmeta:\r\ndescription = \"Detect the substitution table used in PowerShell code (2019-2020)\"\r\nhash = \"A18016AF1E9ACDA5963112EE8BEEB28B\"\r\nstrings:\r\n$a1 = \"Replace('(','a'\"\r\n$a2 = \"Replace(')','b'\"\r\n$a3 = \"Replace('{','c'\"\r\n$a4 = \"Replace('}','d'\"\r\n$a5 = \"Replace('[','e'\"\r\n$a6 = \"Replace(']','f'\"\r\ncondition:\r\n$a1 and\r\n$a2 in (@a1..@a1+200) and\r\n$a3 in (@a1..@a1+200) and\r\n$a4 in (@a1..@a1+200) and\r\n$a5 in (@a1..@a1+200) and\r\n$a6 in (@a1..@a1+200) and\r\nfilesize \u003c 100000\r\n}\r\nYARA rule to detect PowerStats backdoor.\r\nrule POWERSTATS_JscriptLauncher {\r\nmeta:\r\nhttps://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#\r\nPage 1 of 3\n\ndescription = \"POWERSTATS Jscript Launcher\"\r\nhash = \"6C97A39A7FFC292BAF8BE1391FCE7DA0\"\r\nstrings:\r\n$a1 = \"$s=(get-content\"\r\n$a2 = \"Get('Win32_Process').Create(cm\"\r\n$a3 = \"var cm=\"\r\ncondition:\r\nall of them and filesize \u003c 600\r\n}\r\nYARA rule to detect PowerStats de-obfuscated\r\nrule POWERSTATSLite {\r\nmeta:\r\nhash = \"A18016AF1E9ACDA5963112EE8BEEB28B\"\r\nstrings:\r\n$a1 = \"$global:key\"\r\n$a2 = \"$global:time\"\r\n$a3 = \"webreq = [System.Net.WebRequest]::Create($url)\"\r\ncondition:\r\nall of them and filesize \u003c 3000\r\n}\r\nYARA rule to detect MoriAgent implant\r\nrule MoriAgent {\r\nmeta:\r\ndescription = \"C++ MuddyWater implant\"\r\nhash = \"12755B210EC1171045144480ACD05AA8\"\r\nstrings:\r\n$f1 = \"|x7d873iqq\" ascii fullword\r\n$f2 = \"ljyfiiwnskt\" ascii fullword\r\n$f3 = \"htssjhy\" ascii fullword\r\n$f4 = \"kwjjfiiwnskt\" ascii fullword\r\n$f5 = \"hqtxjxthpjy\" ascii fullword\r\n$f6 = \"\\\\XFXyfwyzu\" ascii fullword\r\n$f7 = \"\\\\XFHqjfszu\" ascii fullword\r\n$f8 = \"ZmilXzwkm{{Umuwz\" ascii fullword\r\n$f9 = \"^qz|}itXzw|mk|\" ascii fullword\r\n$f10 = \"_zq|mXzwkm{{Umuwz\" ascii fullword\r\n$content = \"Content-Type: application/json\" ascii fullword\r\ncondition:\r\nuint16(0) == 0x5A4D and filesize \u003c 2MB and\r\nhttps://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#\r\nPage 2 of 3\n\n$content and 5 of ($f*)\r\n}\r\nYARA rule to detect PowerStats Implants\r\nrule POWERSTATS_Implants\r\n{ meta:\r\ndescription = \"Detects all POWERSTATS implants\"\r\nhash = \"A18016AF1E9ACDA5963112EE8BEEB28B\"\r\nhash = \"409558610BE62655FBA0B1F93F2D9596\" hash =\r\n\"DD32B95F865374C31A1377E31FA79E87\" strings:\r\n$a1 = \"if ($resp -ne $null){\"\r\n$a2 = \"out = $_.Exception.Message\"\r\n$a3 = \"IEX $cmd -ErrorAction SilentlyContinue\"\r\ncondition:\r\nall of them and filesize \u003c 50000\r\n}\r\nSource: https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#\r\nhttps://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#\r\nPage 3 of 3\n\n$content = \"Content-Type: condition: application/json\" ascii fullword \nuint16(0) == 0x5A4D and filesize \u003c 2MB and \n Page 2 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#" ], "report_names": [ "326590#" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434104, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e9c0663e2dcebc58b9f4277c7531a39078cbd92.pdf", "text": "https://archive.orkl.eu/4e9c0663e2dcebc58b9f4277c7531a39078cbd92.txt", "img": "https://archive.orkl.eu/4e9c0663e2dcebc58b9f4277c7531a39078cbd92.jpg" } }