Versions (2)
Version DetailsCurrent
Rev: 11 • Apr 29, 2020, 12:00 PMET MALWARE Win32/IcedID Requesting Encoded Binary M4
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M4"; flow:established,to_server; http.method; content:"GET"; http.header.raw; content:"Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__gads="; startswith; fast_pattern; http.cookie; content:"__gads="; startswith; content:"|3b 20|_gat="; content:"|3b 20|_ga="; content:"|3b 20|_u="; content:"|3b 20|__io="; content:"|3b 20|_gid="; pcre:"/^__gads=\d{9,10}:[01]:\d+:\d+(?::\d{2,4})?\x3b\s(?:_gat=(?:10|6)\.[0-3]\.\d{4,6}\.(?:32|64)(?:\x3b\s|$)|_ga=\d\.\d+\.\d+\.\d+(?:\x3b\s|$)|_u=(?:[0-9A-F]+\:){1,}[0-9A-F]+(?:\x3b\s|$)|__io=(?:\d{2}_\d{9,10}_\d{9,10}_\d{9,10}|[0-9])(?:\x3b\s|$)|_gid=[0-9A-F]{12}(?:\x3b\s|$)){5}/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; reference:url,sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html; classtype:command-and-control; sid:2030053; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, deployment SSLDecrypt, malware_family IcedID, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2024_01_31;)
Apr 29, 2020, 12:00 PM
Jan 31, 2024, 12:00 PM
Apr 29, 2020, 12:00 PM
May 31, 2024, 9:00 PM
rules/emerging-malware.rules