Gomorrah C2 Panel 9bead31e

Detects the Gomorrah stealer C2 panel page.

For some reason this stealer decides to explicitly state that the page is for the Gomorrah stealer panel

References

https://tracker.viriback.com
https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer
https://urlscan.io/result/9bead31e-e965-44cb-bdfa-284e75476f25

IOK Rule (edit)

title: Gomorrah C2 Panel 9bead31e
description: | 
  Detects the `Gomorrah` stealer C2 panel page. 

  For some reason this stealer decides to explicitly
  state that the page is for the Gomorrah stealer panel

references: 
  - https://tracker.viriback.com
  - https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer
  - https://urlscan.io/result/9bead31e-e965-44cb-bdfa-284e75476f25

detection: 

  loginPageTitle:
    html|contains: 'Gomorrah v5.0 Stealer'
    
  backgroundImagePath:
    css|contains: '../img/img/bg/login.jpg'
   
  condition: loginPageTitle and backgroundImagePath


tags: 
  - malware.gomorrah
  - malware