Rule History

SID: 2017816 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 5 • Dec 6, 2013, 12:00 PM

Message:

ET MALWARE Possible Upatre Downloader SSL certificate

Rule:

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate"; flow:established,from_server; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; reference:url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx; classtype:trojan-activity; sid:2017816; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, malware_family Upatre, confidence Medium, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_15;)

Created:

Dec 6, 2013, 12:00 PM

Updated:

Mar 15, 2022, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-malware.rules