{
	"id": "7bfa84a2-5e47-468a-aa28-bbaa2182fb04",
	"created_at": "2026-04-06T00:13:53.505528Z",
	"updated_at": "2026-04-10T03:21:36.270921Z",
	"deleted_at": null,
	"sha1_hash": "c4a0d1fb666f7577b51219c82df38cde7ac9c6e9",
	"title": "SIGS: W32/Badspace.Backdoor - Rule Signatures - Emerging Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50451,
	"plain_text": "SIGS: W32/Badspace.Backdoor - Rule Signatures - Emerging\r\nThreats\r\nPublished: 2024-05-13 · Archived: 2026-04-05 14:59:42 UTC\r\npost by kevross33 on May 13, 2024\r\nHi,\r\nHere is a backdoor I have given a temporary name based on the error in the user agent of extra space as all AV\r\nnames are generic. You can get the PCAP from\r\n 6a195e6111c9a4b8c874d51937b53cd5b4b78efc32f7bb255012d05087586d8f | Triage. The POST body is\r\nobsucated/encrypted as is the results of the base64 cookie value but the user agent is a good but very specific\r\nmatch given the error they have made (Mozilla / 4.0 ).\r\nalert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN\r\nW32/Badspace.Backdoor POST Request”; flow:established,to_server; content:“POST”; http_method; urilen:1;\r\ncontent:“/” http_uri; content:“Cookie|3A| “; http_header; content:“User-Agent|3A| Mozilla / 4.0 (compatible|3B|\r\nMSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B|.NET CLR 1.0.3705)”; http_header; fast_pattern:12,20;\r\ncontent:“Host|3A|” http_header; content:”.”; http_header; within:4; content:“.”; http_header; within:4; content:“.”;\r\nhttp_header; within:4; content:!“Referer|3A|”; http_header;\r\npcre:“/Host\\x3A\\x20\\d{1,3}\\x2E\\d{1,3}\\x2E\\d{1,3}\\x2E\\d{1,3}/H”; classtype:trojan-activity;\r\nreference:md5,c16bdc61bbc82e9668f8cee9cc5c94c5; sid:172111; rev:1;)\r\nalert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN\r\nW32/Badspace.Backdoor GET Request”; flow:established,to_server; content:“GET”; http_method; urilen:1;\r\ncontent:“/” http_uri; content:“Cookie|3A| “; http_header; content:“User-Agent|3A| Mozilla / 4.0 (compatible|3B|\r\nMSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B|.NET CLR 1.0.3705)”; http_header; fast_pattern:12,20;\r\ncontent:“Host|3A|” http_header; content:”.”; http_header; within:4; content:“.”; http_header; within:4; content:“.”;\r\nhttp_header; within:4; pcre:“/Host\\x3A\\x20\\d{1,3}\\x2E\\d{1,3}\\x2E\\d{1,3}\\x2E\\d{1,3}/H”; classtype:trojan-activity; reference:md5,c16bdc61bbc82e9668f8cee9cc5c94c5; sid:172112; rev:1;)\r\npost by ishaughnessy on May 13, 2024\r\nHey @kevross33 -\r\nhttps://community.emergingthreats.net/t/sigs-w32-badspace-backdoor/1630\r\nPage 1 of 2\n\nThanks for the awesome tip! We got these signatures in today’s release!!\r\n2052557 - ET MALWARE W32/Badspace.Backdoor CnC Activity (GET)\r\n2052558 - ET MALWARE W32/Badspace.Backdoor CnC Activity (POST)\r\nThanks,\r\nIsaac\r\npost by rgonzalez on May 14, 2024\r\nSource: https://community.emergingthreats.net/t/sigs-w32-badspace-backdoor/1630\r\nhttps://community.emergingthreats.net/t/sigs-w32-badspace-backdoor/1630\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://community.emergingthreats.net/t/sigs-w32-badspace-backdoor/1630"
	],
	"report_names": [
		"1630"
	],
	"threat_actors": [],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c4a0d1fb666f7577b51219c82df38cde7ac9c6e9.pdf",
		"text": "https://archive.orkl.eu/c4a0d1fb666f7577b51219c82df38cde7ac9c6e9.txt",
		"img": "https://archive.orkl.eu/c4a0d1fb666f7577b51219c82df38cde7ac9c6e9.jpg"
	}
}