ET MALWARE Win32/IcedID Requesting Encoded Binary M5

SID: 2031298Rev: 30 views
History
Sourceet/open
CreatedDecember 8, 2020
UpdatedDecember 18, 2020
Classificationcommand-and-control
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M5"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__io_r="; fast_pattern; http.cookie; content:"__io_r="; startswith; content:"|3b 20|__io_vl="; distance:0; content:"|3b 20|__io_bl="; distance:0; content:"|3b 20|Session_id="; distance:0; content:"|3b 20|__io_uniq="; distance:0; content:"|3b 20|__io_f="; isdataat:!38,relative; pcre:"/^__io_r=[0-9]{10}_[01]_[0-9]{4,5}_[0-9]{7,8}_[0-9]{1,2}\x3b\x20__io_vl=[0-9]_[0-9]{6}_[0-9]{3}_[0-9]{2}\x3b\x20__io_bl=[0-9]{1,2}:[0-9]:[0-9]{4,5}:[0-9]{2}\x3b\x20Session_id=[0-9A-F]{12}\x3b\x20__io_uniq=[0-9A-F]{8,22}_[0-9A-F]{12,20}\x3b\x20__io_f=[0-9]{2}::[0-9]{10}::[0-9]{9,10}::[0-9]{9,10}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; classtype:command-and-control; sid:2031298; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, deployment SSLDecrypt, malware_family IcedID, performance_impact Moderate, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_12_18;)

Metadata

attack targetClient_Endpoint
created at2020_12_08
deploymentSSLDecrypt
malware familyIcedID
performance impactModerate
confidenceHigh
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2020_12_18

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!