ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing

SID: 2012816Rev: 80 views
History
Sourceet/open
CreatedMay 18, 2011
UpdatedJuly 26, 2019
Classificationbad-unknown
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:8; metadata:created_at 2011_05_18, confidence Medium, signature_severity Unknown, updated_at 2019_07_26;)

References

urlblog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html
urlsans.org/reading_room/whitepapers/malicious/rss/_33649

Metadata

created at2011_05_18
confidenceMedium
signature severityUnknown
updated at2019_07_26

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!