ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA
Sourceet/open
Fileemerging-malware.rules
CreatedMay 31, 2013
UpdatedApril 7, 2024
Classificationtrojan-activity
alert http1 $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server ; http.uri; content:"/ip.txt"; nocase; endswith; fast_pattern; http.header; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; content:"|3a 20|no-cache|0d 0a|"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; startswith; content:"|0d 0a 0d 0a|"; within:17; pcre:"/(?:Cache-Control|Pragma)\x0d\x0a\x0d\x0a$/" ; http.user_agent; content:!"Mozilla"; http.host; dotprefix; content:!".malwaredomainlist.com"; reference:md5,4d23395fcbab1dabef9afe6af81df558 ; classtype:trojan-activity; sid:2016950; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, malware_family Hupigon, confidence Low, signature_severity Major, updated_at 2024_04_07, reviewed_at 2023_09_29; target:src_ip;)
References
| md5 | 4d23395fcbab1dabef9afe6af81df558 |
Metadata
affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit
attack targetClient_Endpoint
created at2013_05_31
deploymentPerimeter
malware familyHupigon
confidenceLow
signature severityMajor
updated at2024_04_07
reviewed at2023_09_29
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!