ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016

SID: 2022896Rev: 72 views
History
Sourceet/open
CreatedJune 14, 2016
UpdatedApril 22, 2024
Classificationtrojan-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; http.host; pcre:"/\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022896; rev:7; metadata:created_at 2016_06_14, performance_impact Moderate, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_22, reviewed_at 2024_04_11;)

Metadata

created at2016_06_14
performance impactModerate
confidenceMedium
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_04_22
reviewed at2024_04_11

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!