""ET TROJAN SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name""

SID: 2014343

Revision: 2

Class Type: bad-unknown

Metadata: created_at 2012_03_09, updated_at 2012_03_09

Reference:

• md5

• 24e937b9f3fd6a04dde46a2bc75d4b18

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: 25

Flow: established,to_server

Contents:

• Value: "Subject|3A 20|"

• Value: "C|3A 5C|"

• Value: ".exe"

Within: 40

PCRE: "/Subject\x3A\x20[^\r\n]C\x3A\x5C[^\r\n]\x2Eexe/i"

Special Options:

• nocase

• fast_pattern

source