title: Malware User Agent id: 5c84856b-55a5-45f1-826f-13f37250cf4e status: test description: Detects suspicious user agent strings used by malware in proxy logs references: - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules - http://www.botopedia.org/search?searchword=scan&searchphrase=all - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html - https://perishablepress.com/blacklist/ua-2013.txt - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large - https://twitter.com/crep1x/status/1635034100213112833 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2017-07-08 modified: 2024-04-14 tags: - attack.command-and-control - attack.t1071.001 logsource: category: proxy detection: selection: c-useragent: # RATs - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ - 'HttpBrowser/1.0' # HTTPBrowser RAT - '*<|>*' # Houdini / Iniduoh / njRAT - 'nsis_inetc (mozilla)' # ZeroAccess - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre # Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)' # Malware - '*zeroup*' # W32/Renos.Downloader - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy - '* adlib/*' - '* tiny' # Trojan Downloader - '* BGroom *' # Trojan Downloader - '* changhuatong' - '* CholTBAgent' - 'Mozilla/5.0 WinInet' - 'RookIE/1.0' - 'M' # HkMain - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes - 'backdoorbot' - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality - 'Opera' # Trojan Keragany - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect - 'MSIE' # Toby web shell - '*(Charon; Inferno)' # Loki Bot - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/ # Ursnif - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)' - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)' # Emotet - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968 # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q) - 'Mozilla/5.0 (Windows NT 6.1)' - 'AppleWebkit/587.38 (KHTML, like Gecko)' - 'Chrome/91.0.4472.77' - 'Safari/537.36' - 'Edge/91.0.864.37' - 'Firefox/89.0' - 'Gecko/20100101' # Others - '* pxyscand*' - '* asd' - '* mdms' - 'sample' - 'nocase' - 'Moxilla' - 'Win32 *' - '*Microsoft Internet Explorer*' - 'agent *' - 'AutoIt' # Suspicious - base-lining recommended - 'IczelionDownLoad' - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/ - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/ - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/ - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update - 'antSword/v2.1' # AntSword Webshell UA - 'rqwrwqrqwrqw' # Racoon Stealer - 'qwrqrwrqwrqwr' # Racoon Stealer - 'rc2.0/client' # Racoon Stealer - 'TakeMyPainBack' # Racoon Stealer - 'xxx' # Racoon Stealer - '20112211' # Racoon Stealer - '23591' # Racoon Stealer - '901785252112' # Racoon Stealer - '1235125521512' # Racoon Stealer - '125122112551' # Racoon Stealer - 'B1D3N_RIM_MY_ASS' # Racoon Stealer - 'AYAYAYAY1337' # Racoon Stealer - 'iMightJustPayMySelfForAFeature' # Racoon Stealer - 'ForAFeature' # Racoon Stealer - 'Ares_ldr_v_*' # AresLoader # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db - 'CLCTR' # https://github.com/silence-is-best/c2db - 'uploader' # https://github.com/silence-is-best/c2db - 'agent' # https://github.com/silence-is-best/c2db - 'License' # https://github.com/silence-is-best/c2db - 'vb wininet' # https://github.com/silence-is-best/c2db - 'Client' # https://github.com/silence-is-best/c2db - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880 - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880 - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880 - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880 - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880 - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880 - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880 - 'DuckTales' # Racoon Stealer - 'Zadanie' # Racoon Stealer - 'GunnaWunnaBlueTips' # Racoon Stealer - 'Xlmst' # Racoon Stealer - 'GeekingToTheMoon' # Racoon Stealer - 'SunShineMoonLight' # Racoon Stealer - 'BunnyRequester' # BunnyStealer - 'BunnyTasks' # BunnyStealer - 'BunnyStealer' # BunnyStealer - 'BunnyLoader_Dropper' # BunnyStealer - 'BunnyLoader' # BunnyStealer - 'BunnyShell' # BunnyStealer - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/ - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301 - 'SouthSide' # Racoon Stealer - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader condition: selection falsepositives: - Unknown level: high