ET MALWARE Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)

7.0.35.0SID: 2022830Rev: 5Enabled2 views
Sourceet/open
Fileemerging-malware.rules
CreatedMay 19, 2016
UpdatedMarch 25, 2024
Classificationtrojan-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b|)"; http.accept; bsize:3; content:"*/*"; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:5; metadata:created_at 2016_05_19, confidence Medium, signature_severity Major, updated_at 2024_03_25;)

References

md5
f29a3564b386e7899f45ed5155d16a96

Metadata

created at2016_05_19
confidenceMedium
signature severityMajor
updated at2024_03_25

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!