Versions (4)
Version DetailsCurrent
Rev: 1 • Oct 4, 2021, 12:00 PMET MALWARE MirrorBlast KiXtart Downloader Server Response
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".rb|0d 0a|"; within:32; http.cookie; content:"XSRF-TOKEN=eyJpdiI6I"; pcre:"/(?:I(?:iwidmFsdWUiO|sInZhbHVlIjo)i|iLCJ2YWx1ZSI6I)/R"; content:"load_session=eyJpdiI6I"; fast_pattern; pcre:"/(?:I(?:iwidmFsdWUiO|sInZhbHVlIjo)i|iLCJ2YWx1ZSI6I)/R"; classtype:command-and-control; sid:2034110; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_10_04;)
Oct 4, 2021, 12:00 PM
Oct 4, 2021, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 8, 2025, 9:34 PM
rules/emerging-malware.rules