""ET TROJAN W32/Emotet CnC Checkin""
SID: 2035052
Revision: 9
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_04, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2019_01_17
Reference:
-
md5
-
d51ce75c66d1ac9f071b45b67fb8066c
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22]
Flow: established,to_server
Contents:
-
Value: "GET|20|/|20|HTTP/1.1|0d 0a|Cookie|3a 20|"
-
Value: "GET"
-
Value: "User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"
-
Value: !"Referer|3a|"
-
Value: !"Accept"
Within:
PCRE: "/^User-Agent\x3a\x20Mozilla\/4.0\x20(compatible\x3b\x20MSIE\x207.0\x3b\x20Windows\x20NT\x206.1\x3b\x20(?:WOW64\x3b\s)?Trident\/[457].0\x3b\s*SLCC2\x3b\s.NET\sCLR\s2.0.50727\x3b\s.NET\sCLR\s3.5.30729\x3b\s(?:\x20.NET\x20CLR\x203.5.30729\x3b\s)?.NET\sCLR\s3.0.30729\x3b\sMedia\sCenter\sPC\s6.0\x3b\s.NET4.0C\x3b\s.NET4.0E(?:.NET4.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath.3)?)\r\n/Hmi"
Special Options:
-
fast_pattern
-
http_method
-
http_header
-
http_header
-
http_header