Versions (4)
Version DetailsCurrent
Rev: 1 • May 31, 2019, 12:00 PMET MALWARE Executable contained in DICOM Medical Image PACS DICOM Protocol Transfer
alert tcp any any -> $HOME_NET [104,2104,22104] (msg:"ET MALWARE Executable contained in DICOM Medical Image PACS DICOM Protocol Transfer"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027403; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
May 31, 2019, 12:00 PM
Jul 26, 2019, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 24, 2025, 8:37 PM
rules/emerging-malware.rules