SID 1:63607

Report a false positive

Rule Category

MALWARE-TOOLS --

Alert Message

MALWARE-TOOLS Win.Malware.ReconShark variant payload download

Rule Explanation

This rule looks for bytes known to be specific to a Win.Malware.ReconShark variant payload.

What To Look For

This rule fires on attempts to download a Win.Malware.ReconShark variant payload.

Known Usage

Attacks/Scans seen in the wild

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Execution::User Execution::Malicious File

CVE

None

Additional Links

www.virustotal.com/gui/file/62ff72aa8a8c5bccdf6c789952ee054a0d0d479e417fa20ea73a936e17bdf043

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None

MITRE TTP

T1204.002 Malicious File

MITRE IDT1204.002
TacticExecution
TechniqueUser Execution
SubtechniqueMalicious File
DescriptionAn adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.