Rule History

SID: 2044518 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 2 • Mar 8, 2023, 12:00 PM

Message:

ET MALWARE Observed Emotet Maldoc Retrieving Payload (2023-03-07) M2

Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Emotet Maldoc Retrieving Payload (2023-03-07) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:<60; content:"/"; startswith; content:"/?1"; fast_pattern; within:50; pcre:"/\/\?1[0-9]{5}(?:&c=\d{1,2})?$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.accept; bsize:3; content:"|2a 2f 2a|"; classtype:trojan-activity; sid:2044518; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_03_08, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_03_09; target:src_ip;)

Created:

Mar 8, 2023, 12:00 PM

Updated:

Mar 9, 2023, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-malware.rules