""ET INFO SUSPICIOUS SMTP EXE - RAR file with .com filename inside""

SID: 2017888

Revision: 2

Class Type: bad-unknown

Metadata: created_at 2013_12_20, updated_at 2013_12_20

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $SMTP_SERVERS

Destination Port: [25,587]

Flow: established

Contents:

• Value: "|0D 0A 0D 0A|UmFyI"

Within:

PCRE: "/^[A-Za-z0-9\/+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"

Special Options:

source