alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate"; flow:established,from_server; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; reference:url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx; classtype:trojan-activity; sid:2017816; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, malware_family Upatre, confidence Medium, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_15;)