Rule History

SID: 2049153 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 1 • Aug 16, 2023, 12:00 PM

Message:

ET MALWARE Win32/TA402 CnC User-Agent

Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TA402 CnC User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|10|2e|0|3b 20|Win64|3b 20|x64|3b 20|rv|3a|"; startswith; content:"|29 20|Gecko|2f|"; distance:12; within:13; content:"Firefox|2f|3|2e|15"; endswith; fast_pattern; pcre:"/^Mozilla\x2f5\x2e0\x20\x28Windows\x20NT\x2010\x2e0\x3b\x20Win64\x3b\x20x64\x3b\x20rv\x3a\d{2,3}\x2e\d{1,3}\x2e\d{4}\x2e\d{2,3}\x29\x20Gecko\x2f\d{2,3}\x2e\d{1,3}\x2e\d{4}\x2e\d{2,3}\x20Firefox\x2f3\x2e15$/"; classtype:trojan-activity; sid:2049153; rev:1; metadata:attack_target Client_and_Server, created_at 2023_08_16, deployment Perimeter, deployment SSLDecrypt, malware_family Win32_TA402, performance_impact Low, confidence High, signature_severity Critical, tag TA402, updated_at 2023_11_13, reviewed_at 2023_08_16, former_sid 2855109; target:src_ip;)

Created:

Aug 16, 2023, 12:00 PM

Updated:

Nov 13, 2023, 12:00 PM

DB Created:

Nov 13, 2023, 10:00 PM

DB Updated:

Sep 13, 2024, 12:00 AM

Filename:

rules/emerging-malware.rules