title: Malware User Agent id: 5c84856b-55a5-45f1-826f-13f37250cf4e status: experimental description: Detects suspicious user agent strings used by malware in proxy logs author: Florian Roth date: 2017/07/08 modified: 2020/09/03 references: - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules - http://www.botopedia.org/search?searchword=scan&searchphrase=all - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html - https://perishablepress.com/blacklist/ua-2013.txt - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents logsource: category: proxy detection: selection: c-useragent: # RATs - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5 - 'HttpBrowser/1.0' # HTTPBrowser RAT - '*<|>*' # Houdini / Iniduoh / njRAT - 'nsis_inetc (mozilla)' # ZeroAccess - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre # Ghost419 https://goo.gl/rW1yvZ - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)' # Malware - '*zeroup*' # W32/Renos.Downloader - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy - '* adlib/*' # https://goo.gl/gcAHoh - '* tiny' # Trojan Downloader - '* BGroom *' # Trojan Downloader - '* changhuatong' - '* CholTBAgent' - 'Mozilla/5.0 WinInet' - 'RookIE/1.0' - 'M' # HkMain - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes - 'backdoorbot' - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality - 'Opera' # Trojan Keragany - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect - 'MSIE' # Toby web shell - '*(Charon; Inferno)' # Loki Bot - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/ # Ursnif - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)' - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)' # Emotet - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968 # Others - '* pxyscand*' - '* asd' - '* mdms' - 'sample' - 'nocase' - 'Moxilla' - 'Win32 *' - '*Microsoft Internet Explorer*' - 'agent *' - 'AutoIt' # Suspicious - base-lining recommended - 'IczelionDownLoad' condition: selection fields: - ClientIP - c-uri - c-useragent falsepositives: - Unknown level: high tags: - attack.command_and_control - attack.t1071.001