""ET INFO SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)""

SID: 2017884

Revision: 5

Class Type: bad-unknown

Metadata: created_at 2013_12_20, updated_at 2013_12_20

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $SMTP_SERVERS

Destination Port: [25,587]

Flow: established,to_server

Contents:

• Value: "|0D 0A 0D 0A|UEsDB"

Within:

PCRE: "/^[A-Za-z0-9\/+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"

Special Options:

source