""ET TROJAN Win32/RM3Loader Server Response""

SID: 2039130

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2022_10_07, deployment Perimeter, deployment SSLDecrypt, malware_family ursnif, signature_severity Major, updated_at 2022_10_07

Reference:

• md5

• aaef17d68339c7f2f19fb780ab90e156

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

• Value: "200"

• Value: "|0d 0a|Content-Disposition|3a 20|attachment|3b 20|filename=|22|frontend_front_"

• Value: "frontendfront"

Within: 35

PCRE:

Special Options:

• http_stat_code

• http_header

• http_header

source