Versions (4)
Version DetailsCurrent
Rev: 7 • Nov 22, 2017, 12:00 PMET MALWARE Possible NanoCore C2 60B
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Possible NanoCore C2 60B"; flow:established,to_server; dsize:60; content:"|38 00 00 00|"; depth:5; pcre:"/^(?!.{0,56}\x00.{0,55}\x00.{0,54}\x00.{0,53}\x00)(?!.{0,54}\x00{2})(?!.{0,50}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,53}(?P=b1).{0,52}(?P=b1).{0,51}(?P=b1).{0,50}(?P=b1))(?!.(?P<b2>.).{0,52}(?P=b2).{0,51}(?P=b2).{0,50}(?P=b2).{0,49}(?P=b2))(?!..(?P<b3>.).{0,51}(?P=b3).{0,50}(?P=b3).{0,49}(?P=b3).{0,48}(?P=b3))(?!...(?P<b4>.).{0,50}(?P=b4).{0,49}(?P=b4).{0,48}(?P=b4).{0,47}(?P=b4))(?!....(?P<b5>.).{0,49}(?P=b5).{0,48}(?P=b5).{0,47}(?P=b5).{0,46}(?P=b5))(?!.....(?P<b6>.).{0,48}(?P=b6).{0,47}(?P=b6).{0,46}(?P=b6).{0,45}(?P=b6))(?!......(?P<b7>.).{0,47}(?P=b7).{0,46}(?P=b7).{0,45}(?P=b7).{0,44}(?P=b7))(?!.......(?P<b8>.).{0,46}(?P=b8).{0,45}(?P=b8).{0,44}(?P=b8).{0,43}(?P=b8))(?!........(?P<b9>.).{0,45}(?P=b9).{0,44}(?P=b9).{0,43}(?P=b9).{0,42}(?P=b9))(?!.........(?P<b10>.).{0,44}(?P=b10).{0,43}(?P=b10).{0,42}(?P=b10).{0,41}(?P=b10))/Rs"; classtype:command-and-control; sid:2025019; rev:7; metadata:attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, deprecation_reason False_Positive, malware_family NanoCore, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_10;)
Nov 22, 2017, 12:00 PM
Aug 10, 2023, 12:00 PM
Nov 22, 2017, 12:00 PM
Sep 29, 2025, 9:34 PM
rules/emerging-malware.rules