# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Suspicious user-agent regular expressions

# Reference: https://rules.emergingthreats.net/

\(\) { :;
2search
404search
91cast
\A\w{1,2}\Z
\A[^ ]\Z
\(spkg\)
_test_
aaaabbb
absinthe
\Aaccess\b
access down
acunetix
ad-protect
\Aadlib
agavadwnl
\Aagent\Z
alawar toolbar
\Aalina v
\Aanonym
antispyware
antivermeans
antivirgear
anycleaner
apachebench
api-guide test program
\Aasd\Z
askpartner
asktoolbar
asmupdater
atomic_email_hunter
\Aatsu
attacker
auctionplusup
autodl
autohotkey
autoit
\Aav2010
\Ab register
babykrokodil
\Ababylon
backdoor
backdor
backman
bad_bot
\Abar\Z
bdsclk
bdwinrun
beacon
bgroom
binget
bitkinex
blackhat
blacksun
blahrx
bnddriveloader
bndveano4getdownldr
bot (scan|search)
bot for jce
\Abrowser\Z
bsqlbf
bugmaal
\Abuild
\Abundle\Z
\Abwl\Z
changhuatong
chilkatupload
\Achk profile
\Achrome( [\d.]+)?\Z
\Acityreview
\Acleancop
clickteam
clshttp
\Acommonname
\Aconnector v
coolstreaming
\Acount
\Acounters
\Acpush_
crazybro
crowdstrike
cs fingerprint module
\Actt\Z
customspy
cyberdog
damn small
darecover
darkness
datacha0s
\Adbcount
decebavl
deepdoupdate
\Ademo\Z
\Ademomake
dialer
\Adinstaller
dirbuster
dns extractor
doctorpro
doctorvaccine
doshowmeanad
\Adotbot
downing
\Adownload agent\Z
download master
\Adownloaded
\Adownloader\Z
\Adownloadmr
drivecleaner
drpcclean
dsmbvctfre
\bdummy\b
eeloader
egypack
\Aei\Z
emailsiphon
errn200
errornuker
\Aers\Z
\Aesb\Z
eshopee
evnuker
\Aexabot
\Aexample\Z
\Aexe2
\Aexplorer\Z
ezshop
\Aezula
facecooker
fast browser search
favupdate
fdmuiless
\Afeat\b
\Afetcher\b
fhscan
fian3manager
\Afile\b
filebulldog
filedownloader
fimap
\Afirefox( [\d.]+)?\Z
fmbvdfresct
\Afoca
folderwin
forthgoer
fs3update
fsl \d
fucking scanner
fullstuff
fwversiontestagent
gabpath
\Agator
\Agbot
general antivirus
get_site
getjob
gh20
giftz
\Aglobal\Z
go-diva
godzilla
gomtour
\Agoogle page
gsa-crawler
gtbank
guidtracker
Hakai/2.0
hardcore software
havij
\Ahelpsrvc
hoic
http_connect
http_down
http_filedown
http_get_comm
\Ahttp_query
httperf
httpfiledown
httpgetdata
httping
\Ahttps\b
httrack
huai_huai
hydra
i-scan
\biamx
ibsband-
\Aie\Z
ie6 on windows xp
ie_6\.0
iedefender
iefeatsl
\Aiep\Z
ietoolbar
\Aiexplore(r)?( [\d.]+)?\Z
\Aim download
immoral
inetall
\Ainfobox
\Ainstall_
installcapital
installnotify
\Ainternet\Z
internet  explorer
internet antivirus
\Ainternetsecurity
invokead
ioinstall
isc systems irc
isecu
ismazo
istsvc
\Aisupd
\Aiwin
\Aiwonsearch
jorgee
krmak
krsystem
kuku
\ALARK
letitgo
\blibweb
lineguide
linkrunner
live enterprise suite
lmaokaazldr
\bloader
lobo lunar
\Alocus
\bloic
\Alotto
lsosss
\Alynx\Z
m a mu mu mu
machaon
\bmacrovision_dm
magic netinstaller
malwarewipe
\bmama\b
masscan
mazilla
\Ambar
mbescvdfrt
\Amc_v1
\Amdms
mdodo
\Ameinv\d
metasploit
microgaming install program
\Amicrosoft\Z
\Amicrosoft internet explorer\Z
mirar_
missigua locator
morfeus
mot-mpx220
moxilla
moziea
mozila
\Amozilla ( [\d.]+)?\Z
\Amozilla/3\.0 \(compatible; indy library\)\Z
mozilla/4\.0 \(compatible; ics\)
mozillar
mozzila
mrgud
\Ams\Z
msdn surfbear
msgplus3
\Amsie( [\d.]+)?\Z
msiecrawler
\bmsndown
\bmuseon
\bmy session
myagent
\bmyie\b
mypcdoc
mysqloit
myway
\Anavhelper
nento
\bnento
neonabyupdate
nessus
\Anetcfg
netinstaller
netscafe
netsparker
nexpose
nguideup
nikto
nit_love
nmap
\Anobo
nqx315
nsauditor
nsis_inetc
\Ansisdl
nuker
nv32ts
offline explorer
oinc
onandon
openpage
openvas
\Aopera( [\d.]+)?\Z
\Aossproxy
ossproxy
our_agent
owasp
owasp_secret_browser
pangolin
\Apass\Z
pcclear
\Apcdoc
pcflashbang
\Apcsafe
pcsafe
phpcrawl
pilipinas
pinballcorp
pint_agency
pivim
pockethttp
poller
\Apopup
printf ["']
privoxy
proscan-down
proxydown
\Apsi\Z
\Apts\Z
\Apwmi
pxyscand
qdrbi starter
qiu shou gou
qqgame
\Aqvod
rangecheck/
recon-ng
rekom
releasexp
rescue/
revolt
\Arevolution
rhyno321
richcasino
rivest
rogue
rome0321
rookie
\brx bar
\Asaiv
\Asave\Z
scanalert
scrapebox
\Asearch toolbar
searchprotect
\Asearchtool
\Asecurityinternet
sefastsetup
\Asendfile
seobot
sextrackerwsi
sgrunt
\Ashell
\Ashini
\bsi25
sicklebot
sickloader
\Asidebar
\Asidesearch
simpleclient
sitelockspide
sitesnagger
sitesucker
skolovani
skw000
skypee
slayer
\bsleep\b
smaal
smart-rtp
\Asme32
smileware
snatch-system
snoopstick
snoopy
sogouexplorerminisetup
sogouime
something
\Asosospider
speedrunner
sprout game
spydawn
spyheal
spylocked
sql power injector
sqlmap
sqlninja
srinstaller
srrecover
ssol netinstaller
statistican
stbhoget
steroid download
sucuri integrity monitor
suggestion
sun4u
synapse
system32
sznotifyident
tabtoolbarup
talwinhttpclient
tbonas
tcbfrvdems
tear application
teleport
\Atesla
\Atest\Z
\Atiehttp
\Atiny
\Atoolbar
tools\.ua\.random
\Atpsystem
\Atravel update
trymedia_dm_
\Atsa/
twiceler
u2clean
ubrenquatrorusdldr
\Audonkey
ultimate fixer
\Aumbra\Z
\Aunknown
\Aupdate\Z
update internet antivirus
\Aupdater\Z
\Aupdates downloader
updatesodui
\Auphttp
\Aus\Z
\Auser agent
user_check
vaccine
vaccinekiller
\Avb wininet
vbtagedit
vbusers
vctestclient
vertexnet
vhibot
vikiller ctrl
\Aviper
virus_kill
viruscheck
virusheat
virusprotectpro
vmozilla
vomba
vulnerable
vulture
w00tw00t
w3af
wb v\d
webcount
\Awebfile
webstripper
webvulncrawl
wep search
\Awget( \d)?\Z
whcc
\Awhitehat
widgitoolbar
\Awin32
winbutler
windoss
\Awindows 5.1 \(2600\)
\Awindows internet
windows updates manager
winfix master
winfixmaster
wininetget/
\Awinlogon
\Awinsoftware
wintouch
wizpop
\Awnames
wordpress
worked
wpscan
wt_get_comm
\Awta_
wtinstaller
wtrecover
xehanort321
xiehongwei
xmlset_roodkcable
xsock config
xxx
\Ayandex
yhrbg
yodao
\Ayok agent
yourscreen
z00sagent
zc xml-rpc
\Azc xml-rpc
zc-bridgev
\Azcom
zealbot
zeroup
\bzmeu\b
\Azz_

# Reference: https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html

JDatabaseDriverMysqli

# Reference: https://twitter.com/Racco42/status/1053336574753148928
# Reference: https://www.hybrid-analysis.com/sample/f65ba1cc50b29dd05ddaa83242f4b7bd0429841bfc4befa9e203cb6621d2389b?environmentId=100

4RR0B4R 4 X0T4 D4 TU4 M4E

# Reference: https://twitter.com/bad_packets/status/1104618320882393088
# Reference: https://pastebin.com/raw/Zc7h4vkN

zgrab

# Reference: https://twitter.com/bad_packets/status/1104313051166068737

python-requests

# Reference: https://twitter.com/bad_packets/status/1083657979788816384

Hello, World
Gemini

# Reference: https://twitter.com/bad_packets/status/1083896276641472514

OSIRIS

# Reference: https://twitter.com/bad_packets/status/1078192846048452608

Rift

# Reference: https://twitter.com/nmatte90/status/1102263049203998722

NotRift

# Reference: https://twitter.com/bad_packets/status/1111777543869194240

HaxerMen

# Reference: https://twitter.com/ankit_anubhav/status/1069562868918566914

jexboss

# Reference: https://twitter.com/bad_packets/status/1095565095361368064

Hacks

# Reference: https://twitter.com/bad_packets/status/1096201963497111553

Go-http-client

# Reference: https://twitter.com/bad_packets/status/1088707628442644480

Ronin

# Reference: https://twitter.com/bad_packets/status/1088711085375479809

Oof

# Reference: https://perchsecurity.com/perch-news/threat-report-sunday-february-3rd-2019/

Cayosin
Cock

# Reference: # Reference: https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/

Blade/2.0
Hello-World
Hito

# Reference: https://securitywithoutborders.org/blog/2019/03/29/exodus.html

it\.promofferte

# Reference: https://twitter.com/SettiDavide89/status/1116682737455382528

ransomware

# Reference: https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/

Mozilla/4.0 (compatible; Clever Internet Suite)

# Reference: https://twitter.com/James_inthe_box/status/1119932303088578561

QXQ_35

# Reference: https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html

iq\.46

# Reference: https://twitter.com/360Netlab/status/974374944711815168

Geth

# Reference: https://www.netskope.com/blog/malicious-google-sites

otlook

# Reference: https://twitter.com/0xrb/status/1121820943972593665

Nakuma

# Reference: https://twitter.com/0x13fdb33f/status/1122544651628576768
# Reference: https://www.kernelmode.info/forum/viewtopic.php?p=32871
# Reference: https://otx.alienvault.com/pulse/5cc6ca1e69cc6cfee80974a7

Miner
Unzip

# Reference: https://twitter.com/0xrb/status/1122728648996298752

Cakle

# Reference: https://twitter.com/0xrb/status/1123149312689491973

NoPublicity

# Reference: https://twitter.com/James_inthe_box/status/1079757827030142976

NetSupport Manager

# Reference: https://bomccss.hatenablog.jp/entry/2019/04/30/235933 (Japanese)

Google Chrome

# Reference: https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/

Megumin

# Reference: https://twitter.com/bad_packets/status/1124922288862666753

Snickers-Avtech

# Reference: https://twitter.com/rommeljoven17/status/1052865294081781760

thricer

# Reference: https://twitter.com/rommeljoven17/status/1037982220005195776

Owari

# Reference: https://www.hybrid-analysis.com/sample/442fe9bb6820ba79ca48429df8e5a01e991302be2a0d45a35c99c5d006a1d64a

FA\.G\.4\.5

# Reference: https://twitter.com/jorgemieres/status/1133052016568274950

Mozilla/4.08 (Charon; Inferno)

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/

MinGate

# Reference: https://twitter.com/bad_packets/status/1142325648888696837

Liquor

# Reference: https://twitter.com/malware_traffic/status/1146086054207873024

dpost

# Reference: https://twitter.com/gamesover/status/552140159442235394
# Reference: http://ltx71.com/

ltx71

# Reference: https://twitter.com/eromang/status/14713546159
# Reference: https://eromang.zataz.com/2010/05/25/suc016-user-agent-toata-dragostea-mea-pentru-diavola-scanner/

Toata dragostea mea pentru diavola

# Reference: https://twitter.com/eromang/status/14702343100
# Reference: https://eromang.zataz.com/2010/04/23/suc004-phpmyadmin-user-agent-revolt-scanner/

revolt

# Reference: https://thehackernews.com/2017/08/android-ddos-botnet.html (# WireX)

jigpuzbcomkenhvladtwysqfxr
yudjmikcvzoqwsbflghtxpanre
mckvhaflwzbderiysoguxnqtpj
deogjvtynmcxzwfsbahirukqpl
fdmjczoeyarnuqkbgtlivsxhwp
yczfxlrenuqtwmavhojpigkdsb
dnlseufokcgvmajqzpbtrwyxih

# Reference: https://twitter.com/21doob/status/476434364516282369

hello

# Reference: https://twitter.com/James_inthe_box/status/1151583038087655424

UniqUAF

# Reference: https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/

Installer/23

# Reference: https://twitter.com/James_inthe_box/status/1152234123844415489

binary\_getter/1.0

# Reference: https://twitter.com/James_inthe_box/status/1153450058722865152

KJW0rm

# Reference: https://twitter.com/ViriBack/status/1154377089077993474

Finder/28

# Reference: https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later

sENB2a36p61HSKES

# Reference: https://twitter.com/stvemillertime/status/1151148881729789954

Mozilla/5.3 (i686-iamsatan-mingw32)

# Reference: https://twitter.com/reesespcres/status/1144703633377964033

Mozilla/5.2 (i686-w64-mingw32)

# Reference: https://twitter.com/DissectMalware/status/1069507395448184833

4M2yC5u1stom4U1se3r

# Reference: https://twitter.com/ItsReallyNick/status/1033413803470467072

NMS\.19

# Reference: https://twitter.com/PhishingAi/status/994210210389557250

l33boLAMER

# Reference: https://twitter.com/sixdub/status/992001190950031361

WinHTTP loader/1.0

# Reference: https://twitter.com/stvemillertime/status/985150675527974912

CertUtil URL Agent

# Reference: https://twitter.com/malwareforme/status/918503641887096832

OtherUser

# Reference: https://twitter.com/JohnLaTwC/status/912301412993794049
# Reference: https://www.virustotal.com/gui/file/050cdd4e6195e5be16d883b83350c1baa4c7a614814f9ff85ff6c65bfa6fefe9/detection

Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone 7.5; Trident/5.0; IEMobile/9.0)

# Reference: https://twitter.com/stdaux/status/861217811015680001

Mozilla/5.0 (ENIAC; the Electronic Numerical Integrator and Computer)

# Reference: https://twitter.com/xme/status/753325697830182912

Gluten Free Crawler/1.0

# Reference: https://twitter.com/abuse_ch/status/700252982731018241

givmafile

# Reference: https://twitter.com/nimolix/status/562532331357892608

parsijoo-bot

# Reference: https://twitter.com/bortzmeyer/status/545492437628891136

Kim Jong-un Evil Browser

# Reference: http://www.behindthefirewalls.com/2013/11/the-importance-of-user-agent-in-botnets.html

underworld
system-update
test\_hInternet
installer-agent
sleep 300000

# Reference: https://twitter.com/ericasadun/status/12333713924816896

MediaControl

# Reference: https://twitter.com/VK_Intel/status/1156983051974533120
# Reference: https://www.virustotal.com/gui/file/b77a0939dc6720e349f36e368a4f222295baf3d7fdd1ef851c19fa163ade1cc5/detection

ApacheBench

# Reference: https://twitter.com/bad_packets/status/1157819242500149248

Ankit

# Reference: https://twitter.com/James_inthe_box/status/1163565834343632897

\ALicense\Z

# Reference: https://twitter.com/nmatte90/status/1163141154445176833

Testingus

# Reference: https://gist.github.com/Neo23x0/00bc2b883c530f7a12b055549e9076ff

Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)

# Reference: https://twitter.com/ViriBack/status/991782471149801472

928776C4AD04B453186FF486335CB3D2

# Reference: https://twitter.com/cyb3rops/status/883717898228736003
# Reference: https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_malware.yml

backdoorbot
CholTBAgent
HttpBrowser/1.0
IczelionDownLoad
SJZJ
Mozilla/5.0 WinInet

# Reference: https://twitter.com/x0rz/status/748858850896470016

Cristmas Mystery

# Reference: https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_apt.yml

O/9.27 (W; U; Z)

# Reference: https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_hacktool.yml

arachni
BFAC
brutus
cgichk
core-project
crimscanner
domino hunter
dotdotpwn
FHScan Core
floodgate
get-minimal
gootkit auto-rooter scanner
grendel-scan
inspath
internet ninja
jaascois
\bmetis\b
morfeus fucking scanner
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
n-stealth
pmafind
ruler
security scan
springenwerk
teh forest lobster
uil2pn
\bvega\b
voideye
webshag
webvulnscan

# Reference: https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign

Mozilla/5.0 (Windows NT 10.0; &)

# Reference: https://twitter.com/luc4m/status/1166765980489584640

WSHRAT

# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/01075510/TV_RMS_IoC_eng.pdf

Mozilla/4.0 (compatible; RMS)
Mozilla/4.0 (compatible; MSIE 6.0; DynGate)

# Reference: https://twitter.com/chybeta/status/1167617571287289856

webmin
