Versions (4)
Version DetailsCurrent
Rev: 2 • Sep 20, 2018, 12:00 PMET MALWARE HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x57|5c|x53|5c|x63|5c|x72|5c|x69|5c|x70|5c|x74|5c|x2E|5c|x53|5c|x68|5c|x65|5c|x6C|5c|x6C"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, malware_family Xbash, performance_impact Low, confidence High, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_25;)
Sep 20, 2018, 12:00 PM
Aug 25, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 26, 2025, 9:34 PM
rules/emerging-malware.rules