alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre Downloading Mailer 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".tar"; endswith; fast_pattern; http.header_names; content:!"|0d 0a|Accept"; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Connection|0d 0a|"; http.user_agent; bsize:176; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|6|2e|1|3b 20|WOW64|3b 20|Trident|2f|7|2e|0|3b 20|SLCC2|3b 20 2e|NET|20|CLR|20|2|2e|0|2e|50727|3b 20 2e|NET|20|CLR|20|3|2e|5|2e|30729|3b 20 2e|NET|20|CLR|20|3|2e|0|2e|30729|3b 20|Media|20|Center|20|PC|20|6|2e|0|3b 20 2e|NET4|2e|0E|3b 20 2e|NET4|2e|0C|3b 20|rv|3a|11|2e|0|29 20|like|20|Gecko"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:6; metadata:created_at 2015_05_04, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_23;)