""ET TROJAN Ursnif Payload Downloader Inbound""
SID: 2048485
Revision: 1
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_10_06, deployment Perimeter, confidence High, signature_severity Critical, updated_at 2023_10_06
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "|24|path|20 3d 20 24|Env|3a|temp|2b 27|" Depth: 19
-
Value: "|27 3b 20 24|client|20 3d 20|New|2d|Object|20|System|2e|Net|2e|WebClient|3b|"
-
Value: "|27 2c 24|path|29 3b 20|Start|2d|Process|20 2d|FilePath|20 24|path"
Within:
PCRE:
Special Options:
-
file_data
-
fast_pattern