Versions (3)
Version DetailsCurrent
Rev: 1 • Mar 9, 2023, 12:00 PMET MALWARE Observed Emotet Maldoc Retrieving Payload (2023-03-07) M3
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Emotet Maldoc Retrieving Payload (2023-03-07) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:<60; content:"/"; startswith; content:"/?2"; fast_pattern; within:50; pcre:"/\/\?2[0-9]{5}(?:&c=\d{1,2})?$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.accept; bsize:3; content:"|2a 2f 2a|"; classtype:trojan-activity; sid:2044537; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_03_09, deployment Perimeter, malware_family Emotet, confidence High, signature_severity Major, updated_at 2023_03_09; target:src_ip;)
Mar 9, 2023, 12:00 PM
Mar 9, 2023, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 21, 2024, 3:00 AM
rules/emerging-malware.rules