Malware User Agent | SOC Hunt Feed

Hunt Hypothesis

Malware often uses custom user agent strings to evade detection and communicate with command-and-control servers. SOC teams should proactively hunt for these suspicious user agents in Azure Sentinel to identify potential malware activity and prevent data exfiltration or system compromise.

Detection Rule

Sigma (Original)

title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
    - http://www.botopedia.org/search?searchword=scan&searchphrase=all
    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
    - https://perishablepress.com/blacklist/ua-2013.txt
    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
    - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
    - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
    - https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
            # RATs
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
            - 'HttpBrowser/1.0' # HTTPBrowser RAT
            - '*<|>*' # Houdini / Iniduoh / njRAT
            - 'nsis_inetc (mozilla)' # ZeroAccess
            - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
            # Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
            # Malware
            - '*zeroup*' # W32/Renos.Downloader
            - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
            - '* adlib/*'
            - '* tiny' # Trojan Downloader
            - '* BGroom *' # Trojan Downloader
            - '* changhuatong'
            - '* CholTBAgent'
            - 'Mozilla/5.0 WinInet'
            - 'RookIE/1.0'
            - 'M' # HkMain
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
            - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
            - 'backdoorbot'
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
            - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
            - 'Opera' # Trojan Keragany
            - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
            - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
            - 'MSIE' # Toby web shell
            - '*(Charon; Inferno)' # Loki Bot
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
            - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
            # Ursnif
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
            # Emotet
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
            # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
            - 'Mozilla/5.0 (Windows NT 6.1)'
            - 'AppleWebkit/587.38 (KHTML, like Gecko)'
            - 'Chrome/91.0.4472.77'
            - 'Safari/537.36'
            - 'Edge/91.0.864.37'
            - 'Firefox/89.0'
            - 'Gecko/20100101'
            # Others
            - '* pxyscand*'
            - '* asd'
            - '* mdms'
            - 'sample'
            - 'nocase'
            - 'Moxilla'
            - 'Win32 *'
            - '*Microsoft Internet Explorer*'
            - 'agent *'
            - 'AutoIt' # Suspicious - base-lining recommended
            - 'IczelionDownLoad'
            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
            - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
            - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
            - 'antSword/v2.1' # AntSword Webshell UA
            - 'rqwrwqrqwrqw'  # Racoon Stealer
            - 'qwrqrwrqwrqwr'  # Racoon Stealer
            - 'rc2.0/client'  # Racoon Stealer
            - 'TakeMyPainBack'  # Racoon Stealer
            - 'xxx' # Racoon Stealer
            - '20112211' # Racoon Stealer
            - '23591' # Racoon Stealer
            - '901785252112' # Racoon Stealer
            - '1235125521512' # Racoon Stealer
            - '125122112551' # Racoon Stealer
            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer
            - 'AYAYAYAY1337' # Racoon Stealer
            - 'iMightJustPayMySelfForAFeature' # Racoon Stealer
            - 'ForAFeature' # Racoon Stealer
            - 'Ares_ldr_v_*' # AresLoader
            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
            - 'CLCTR' # https://github.com/silence-is-best/c2db
            - 'uploader' # https://github.com/silence-is-best/c2db
            - 'agent' # https://github.com/silence-is-best/c2db
            - 'License' # https://github.com/silence-is-best/c2db
            - 'vb wininet' # https://github.com/silence-is-best/c2db
            - 'Client' # https://github.com/silence-is-best/c2db
            - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
            - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
            - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
            - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
            - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'DuckTales' # Racoon Stealer
            - 'Zadanie' # Racoon Stealer
            - 'GunnaWunnaBlueTips' # Racoon Stealer
            - 'Xlmst' # Racoon Stealer
            - 'GeekingToTheMoon' # Racoon Stealer
            - 'SunShineMoonLight' # Racoon Stealer
            - 'BunnyRequester' # BunnyStealer
            - 'BunnyTasks' # BunnyStealer
            - 'BunnyStealer' # BunnyStealer
            - 'BunnyLoader_Dropper' # BunnyStealer
            - 'BunnyLoader' # BunnyStealer
            - 'BunnyShell' # BunnyStealer
            - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
            - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
            - 'SouthSide' # Racoon Stealer
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imWebSession
| where HttpUserAgent in~ ("Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)", "HttpBrowser/1.0", "nsis_inetc (mozilla)", "Wget/1.9+cvs-stable (Red Hat modified)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)", "Mozilla/5.0 WinInet", "RookIE/1.0", "M", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)", "backdoorbot", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)", "Opera/8.81 (Windows NT 6.0; U; en)", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)", "Opera", "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)", "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)", "MSIE", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)", "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)", "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)", "Mozilla/5.0 (Windows NT 6.1)", "AppleWebkit/587.38 (KHTML, like Gecko)", "Chrome/91.0.4472.77", "Safari/537.36", "Edge/91.0.864.37", "Firefox/89.0", "Gecko/20100101", "sample", "nocase", "Moxilla", "AutoIt", "IczelionDownLoad", "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)", "record", "mozzzzzzzzzzz", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", "Havana/0.1", "antSword/v2.1", "rqwrwqrqwrqw", "qwrqrwrqwrqwr", "rc2.0/client", "TakeMyPainBack", "xxx", "20112211", "23591", "901785252112", "1235125521512", "125122112551", "B1D3N_RIM_MY_ASS", "AYAYAYAY1337", "iMightJustPayMySelfForAFeature", "ForAFeature", "Microsoft Internet Explorer", "CLCTR", "uploader", "agent", "License", "vb wininet", "Client", "Lilith-Bot/3.0", "svc/1.0", "WSHRAT", "ZeroStresser Botnet/1.5", "OK", "Project1sqlite", "Project1", "DuckTales", "Zadanie", "GunnaWunnaBlueTips", "Xlmst", "GeekingToTheMoon", "SunShineMoonLight", "BunnyRequester", "BunnyTasks", "BunnyStealer", "BunnyLoader_Dropper", "BunnyLoader", "BunnyShell", "SPARK-COMMIT", "4B4DB4B3", "SouthSide", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)") or HttpUserAgent contains "<|>" or HttpUserAgent contains "zeroup" or HttpUserAgent startswith "Mozilla/5.0 (Windows NT 5.1 ; v." or HttpUserAgent contains " adlib/" or HttpUserAgent endswith " tiny" or HttpUserAgent contains " BGroom " or HttpUserAgent endswith " changhuatong" or HttpUserAgent endswith " CholTBAgent" or HttpUserAgent endswith "(Charon; Inferno)" or HttpUserAgent contains " pxyscand" or HttpUserAgent endswith " asd" or HttpUserAgent endswith " mdms" or HttpUserAgent startswith "Win32 " or HttpUserAgent contains "Microsoft Internet Explorer" or HttpUserAgent startswith "agent " or HttpUserAgent startswith "Ares_ldr_v_"

False Positive Guidance

Scenario: System Maintenance Task Using a Known Malware User Agent
Description: A legitimate system maintenance task (e.g., Windows Task Scheduler running schtasks.exe) may use a user agent string that matches a known malware pattern.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler or processes with CommandLine containing schtasks.exe or at.exe.
Scenario: Admin Access via Proxy with Custom User Agent
Description: An administrator might use a custom user agent string (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) for testing or monitoring purposes.
Filter/Exclusion: Exclude traffic originating from admin IP ranges or user agents that match known admin tools (e.g., curl, wget, Postman).
Scenario: Scheduled Job Using a Legitimate Tool with Mismatched User Agent
Description: A scheduled job using a tool like curl or PowerShell might send a request with a user agent string that appears suspicious due to formatting or misconfiguration.
Filter/Exclusion: Exclude requests with User-Agent matching curl/7.81.0 or PowerShell/7.2.5 or those originating from a known job scheduler (e.g., crontab, jenkins, Azure DevOps).
Scenario: Proxy Log Anomalies from Internal Monitoring Tools
Description: Internal monitoring tools (e.g., Prometheus, Grafana, ELK Stack) may generate proxy logs with user agents that resemble malware patterns.
Filter/Exclusion: Exclude traffic

MITRE ATT&CK Context

Tactic: Command and Control
Technique: T1071.001