title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
author: Florian Roth
references:
  - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
  - http://www.botopedia.org/search?searchword=scan&searchphrase=all
  - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
  - https://perishablepress.com/blacklist/ua-2013.txt
  - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
date: 2017/07/08
modified: 2021/11/27
logsource:
  category: proxy
detection:
  selection:
    c-useragent:
        # RATs
      - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0'    # DargonOK
      - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)'    # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
      - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)'    # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
      - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)'    # Used by PlugX - old - https://goo.gl/Yfjtk5
      - 'HttpBrowser/1.0'    # HTTPBrowser RAT
      - '*<|>*'    # Houdini / Iniduoh / njRAT
      - 'nsis_inetc (mozilla)'    # ZeroAccess
      - 'Wget/1.9+cvs-stable (Red Hat modified)'    # Dyre / Upatre
        # Ghost419 https://goo.gl/rW1yvZ
      - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'

        # Malware
      - '*zeroup*'    # W32/Renos.Downloader
      - 'Mozilla/5.0 (Windows NT 5.1 ; v.*'    # Kazy
      - '* adlib/*'    # https://goo.gl/gcAHoh
      - '* tiny'    # Trojan Downloader
      - '* BGroom *'    # Trojan Downloader
      - '* changhuatong'
      - '* CholTBAgent'
      - 'Mozilla/5.0 WinInet'
      - 'RookIE/1.0'
      - 'M'    # HkMain
      - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'    # Egamipload - old UA - probable prone to false positives
      - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)'    # Yakes
      - 'backdoorbot'
      - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)'    # Sality
      - 'Opera/8.81 (Windows NT 6.0; U; en)'    # Sality
      - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)'    # Sality
      - 'Opera'    # Trojan Keragany
      - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)'    # Fareit
      - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'    # Webshell's back connect
      - 'MSIE'    # Toby web shell
      - '*(Charon; Inferno)'    # Loki Bot
      - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'    # Fareit / Pony
      - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'    # https://goo.gl/g43qjs
      - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)'    # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
      - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'    # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
        # Ursnif
      - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
      - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
        # Emotet
      - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)'    # https://twitter.com/webbthewombat/status/1225827092132179968
        # Others
      - '* pxyscand*'
      - '* asd'
      - '* mdms'
      - 'sample'
      - 'nocase'
      - 'Moxilla'
      - 'Win32 *'
      - '*Microsoft Internet Explorer*'
      - 'agent *'
      - 'AutoIt'    # Suspicious - base-lining recommended
      - 'IczelionDownLoad'
      - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)'    # https://unit42.paloaltonetworks.com/thor-plugx-variant/
  condition: selection
fields:
  - ClientIP
  - c-uri
  - c-useragent
falsepositives:
  - Unknown
level: high
tags:
  - attack.command_and_control
  - attack.t1071.001