Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

Sigma rule (View on GitHub)

  1title: Malware User Agent
  2id: 5c84856b-55a5-45f1-826f-13f37250cf4e
  3status: test
  4description: Detects suspicious user agent strings used by malware in proxy logs
  5references:
  6    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
  7    - http://www.botopedia.org/search?searchword=scan&searchphrase=all
  8    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
  9    - https://perishablepress.com/blacklist/ua-2013.txt
 10    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
 11    - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
 12    - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
 13    - https://twitter.com/crep1x/status/1635034100213112833
 14author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 15date: 2017-07-08
 16modified: 2024-04-14
 17tags:
 18    - attack.command-and-control
 19    - attack.t1071.001
 20logsource:
 21    category: proxy
 22detection:
 23    selection:
 24        c-useragent:
 25            # RATs
 26            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
 27            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
 28            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
 29            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
 30            - 'HttpBrowser/1.0' # HTTPBrowser RAT
 31            - '*<|>*' # Houdini / Iniduoh / njRAT
 32            - 'nsis_inetc (mozilla)' # ZeroAccess
 33            - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
 34            # Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 35            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
 36            # Malware
 37            - '*zeroup*' # W32/Renos.Downloader
 38            - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
 39            - '* adlib/*'
 40            - '* tiny' # Trojan Downloader
 41            - '* BGroom *' # Trojan Downloader
 42            - '* changhuatong'
 43            - '* CholTBAgent'
 44            - 'Mozilla/5.0 WinInet'
 45            - 'RookIE/1.0'
 46            - 'M' # HkMain
 47            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
 48            - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
 49            - 'backdoorbot'
 50            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
 51            - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
 52            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
 53            - 'Opera' # Trojan Keragany
 54            - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
 55            - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
 56            - 'MSIE' # Toby web shell
 57            - '*(Charon; Inferno)' # Loki Bot
 58            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
 59            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
 60            - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
 61            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
 62            # Ursnif
 63            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
 64            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
 65            # Emotet
 66            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
 67            # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
 68            - 'Mozilla/5.0 (Windows NT 6.1)'
 69            - 'AppleWebkit/587.38 (KHTML, like Gecko)'
 70            - 'Chrome/91.0.4472.77'
 71            - 'Safari/537.36'
 72            - 'Edge/91.0.864.37'
 73            - 'Firefox/89.0'
 74            - 'Gecko/20100101'
 75            # Others
 76            - '* pxyscand*'
 77            - '* asd'
 78            - '* mdms'
 79            - 'sample'
 80            - 'nocase'
 81            - 'Moxilla'
 82            - 'Win32 *'
 83            - '*Microsoft Internet Explorer*'
 84            - 'agent *'
 85            - 'AutoIt' # Suspicious - base-lining recommended
 86            - 'IczelionDownLoad'
 87            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
 88            - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
 89            - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
 90            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
 91            - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
 92            - 'antSword/v2.1' # AntSword Webshell UA
 93            - 'rqwrwqrqwrqw'  # Racoon Stealer
 94            - 'qwrqrwrqwrqwr'  # Racoon Stealer
 95            - 'rc2.0/client'  # Racoon Stealer
 96            - 'TakeMyPainBack'  # Racoon Stealer
 97            - 'xxx' # Racoon Stealer
 98            - '20112211' # Racoon Stealer
 99            - '23591' # Racoon Stealer
100            - '901785252112' # Racoon Stealer
101            - '1235125521512' # Racoon Stealer
102            - '125122112551' # Racoon Stealer
103            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer
104            - 'AYAYAYAY1337' # Racoon Stealer
105            - 'iMightJustPayMySelfForAFeature' # Racoon Stealer
106            - 'ForAFeature' # Racoon Stealer
107            - 'Ares_ldr_v_*' # AresLoader
108            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
109            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
110            - 'CLCTR' # https://github.com/silence-is-best/c2db
111            - 'uploader' # https://github.com/silence-is-best/c2db
112            - 'agent' # https://github.com/silence-is-best/c2db
113            - 'License' # https://github.com/silence-is-best/c2db
114            - 'vb wininet' # https://github.com/silence-is-best/c2db
115            - 'Client' # https://github.com/silence-is-best/c2db
116            - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
117            - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
118            - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
119            - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
120            - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
121            - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
122            - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
123            - 'DuckTales' # Racoon Stealer
124            - 'Zadanie' # Racoon Stealer
125            - 'GunnaWunnaBlueTips' # Racoon Stealer
126            - 'Xlmst' # Racoon Stealer
127            - 'GeekingToTheMoon' # Racoon Stealer
128            - 'SunShineMoonLight' # Racoon Stealer
129            - 'BunnyRequester' # BunnyStealer
130            - 'BunnyTasks' # BunnyStealer
131            - 'BunnyStealer' # BunnyStealer
132            - 'BunnyLoader_Dropper' # BunnyStealer
133            - 'BunnyLoader' # BunnyStealer
134            - 'BunnyShell' # BunnyStealer
135            - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
136            - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
137            - 'SouthSide' # Racoon Stealer
138            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
139    condition: selection
140falsepositives:
141    - Unknown
142level: high

References

Related rules

to-top