Versions (4)
Version DetailsCurrent
Rev: 2 • Sep 20, 2018, 12:00 PMET MALWARE HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x73|5c|x79|5c|x73|5c|x74|5c|x65|5c|x6D|5c|x2E|5c|x6E|5c|x65|5c|x74|5c|x2E|5c|x77|5c|x65|5c|x62|5c|x63|5c|x6C|5c|x69|5c|x65|5c|x6E|5c|x74|5c|x29|5c|x2E|5c|x64|5c|x6F|5c|x77|5c|x6E|5c|x6C|5c|x6F|5c|x61|5c|x64|5c|x66|5c|x69|5c|x6C|5c|x65|5c|x28"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, malware_family Xbash, performance_impact Low, confidence High, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_25;)
Sep 20, 2018, 12:00 PM
Aug 25, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 26, 2025, 9:34 PM
rules/emerging-malware.rules