alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; http_connection; content:"close"; http_header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Enigma, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)

Added 2020-11-03 18:44:38 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; http_connection; content:"close"; http_header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Enigma, performance_impact Low, signature_severity Major, updated_at 2020_02_28;)

Added 2020-08-05 19:12:40 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; http_connection; content:"close"; http_header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; metadata: former_category MALWARE; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_12, malware_family Ransomware, malware_family Enigma, performance_impact Low, updated_at 2020_02_28;)

Added 2020-02-28 20:04:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; metadata: former_category MALWARE; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_12, malware_family Ransomware, malware_family Enigma, performance_impact Low, updated_at 2016_10_12;)

Added 2019-09-26 19:58:13 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_12, malware_family Ransomware, malware_family Enigma, performance_impact Low, updated_at 2016_10_12;)

Added 2018-09-13 19:53:00 UTC


Added 2018-09-13 18:01:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_12, malware_family Ransomware, malware_family Enigma, performance_impact Low, updated_at 2016_10_12;)

Added 2017-08-07 21:18:26 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:2;)

Added 2016-10-18 11:42:28 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:2;)

Added 2016-10-18 11:42:26 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:2;)

Added 2016-10-18 11:39:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:2;)

Added 2016-10-18 11:39:20 UTC


Topic revision: r1 - 2020-11-03 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats