ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB2 (NT Create AndX Request)
Sourceet/open
CreatedMarch 9, 2022
UpdatedMarch 9, 2022
Classificationtrojan-activity
alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB2 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|22 00|"; distance:0; content:"|63 00|"; distance:8; within:2; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l|00|"; within:8; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, malware_family HermeticWizard, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2022_03_09;)
References
| url | www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ |
| md5 | 517d2b385b846d6ea13b75b8adceb061 |
Metadata
affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit
attack targetClient_and_Server
created at2022_03_09
deploymentDatacenter
malware familyHermeticWizard
performance impactModerate
confidenceMedium
signature severityMajor
updated at2022_03_09
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!