alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3; metadata:created_at 2015_09_23, former_category MALWARE, updated_at 2020_12_10;)

Added 2020-12-11 18:27:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3; metadata:created_at 2015_09_23, former_category MALWARE, updated_at 2020_06_01;)

Added 2020-08-05 19:11:40 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; metadata: former_category MALWARE; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3; metadata:created_at 2015_09_23, updated_at 2020_06_01;)

Added 2020-06-01 20:08:38 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; metadata: former_category MALWARE; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

Added 2019-09-19 19:26:29 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

Added 2018-09-13 19:51:43 UTC


Added 2018-09-13 18:00:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

Added 2017-08-07 21:16:35 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC? Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3;)

Added 2015-09-23 18:25:20 UTC


Topic revision: r1 - 2020-12-11 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats