""ET TROJAN Possible Malicious Macro DL EXE Feb 2016""
SID: 2022550
Revision: 16
Class Type: trojan-activity
Metadata: affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_02_19, deployment Perimeter, malware_family MalDocGeneric, performance_impact Moderate, signature_severity Major, tag MalDoc, updated_at 2024_05_01
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "GET"
-
Value: ".exe"
-
Value: "Accept|3a 20|/|0d 0a|" Depth: 13
-
Value: "Accept-Encoding|3a 20|gzip, deflate|0d 0a|"
-
Value: "User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"
-
Value: !"Referer|3a|"
-
Value: !"Cookie|3a|"
-
Value: !".bloomberg.com|0d 0a|"
-
Value: !".bitdefender.com|0d 0a|"
-
Value: !".microsoft.com|0d 0a|"
-
Value: !"7zip.org|0d 0a|"
Within:
PCRE: "/(?:\/(?:(?:p(?:lugins\/content\/vote\/.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z])|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]|gau\/.?|alam|ucks|can|ke)|(?=[a-z][0-9])(?=[0-9][a-z])(?!setup\d+.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f])|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/.[^\x2f]+|.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+).exe$|(?:(?=[a-z0-9]?[3456789][a-z0-9]?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword).exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem).exe$)/Ui"
Special Options:
-
http_method
-
http_uri
-
nocase
-
http_header
-
http_header
-
http_header
-
http_header
-
http_header
-
nocase
-
http_header
-
http_header
-
http_header