Versions (3)
Version DetailsCurrent
Rev: 1 • May 10, 2023, 12:00 PMET MALWARE Globe Imposter Ransomware Activity (GET)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Globe Imposter Ransomware Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tOldHSYW|3f 3f|"; startswith; fast_pattern; content:"="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; bsize:50; http.header_names; content:!"Referer|0d 0a|"; reference:md5,08689da62546801384be10acd8111c04; reference:md5,3c701aa97f42c4861ea2c371d6f7e32f; reference:url,www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/; classtype:trojan-activity; sid:2045630; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_05_10, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_10; target:src_ip;)
May 10, 2023, 12:00 PM
May 10, 2023, 12:00 PM
May 10, 2023, 9:00 PM
Aug 22, 2025, 9:34 PM
rules/emerging-malware.rules