""ET TROJAN Possible Malicious Macro EXE DL AlphaNumL""
SID: 2022566
Revision: 6
Class Type: trojan-activity
Metadata: created_at 2016_02_26, updated_at 2021_08_20
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
- Value: ".exe"
Offset: 5
-
Value: "Accept|3a 20|/|0d 0a|" Depth: 13
-
Value: "Accept-Encoding|3a 20|gzip, deflate|0d 0a|"
-
Value: "User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"
-
Value: !"Referer|3a|"
-
Value: !".bloomberg.com|0d 0a|"
-
Value: !"7-zip.org|0d 0a|"
-
Value: !"leg1.state.va.us"
-
Value: !"virginia.gov"
Within:
PCRE: "/\/(?=[0-9]?[a-z]?[a-z0-9)(?=[a-z0-9][0-9][a-z][0-9][a-z0-9]*.exe)(?!setup\d+.exe)[a-z0-9]{5,15}.exe/U"
Special Options:
-
fast_pattern
-
http_uri
-
http_header
-
http_header
-
http_header
-
http_header
-
http_header
-
http_header
-
nocase
-
http_header
-
nocase
-
http_header