alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA SMB Naming Format"; flow:to_server,established; content:"SMB|A2|"; content:"|5c 00|W|00|I|00|N|00|D|00|O|00|W|00|S|00 5c 00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00 5c|"; distance:0; fast_pattern; pcre:"/^(?:(?!\x00\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?\x2e\x00t\x00x\x00t/Rsi"; flowbits:set,ET.kaptoxa; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018058; rev:2; metadata:created_at 2014_02_04, confidence Medium, signature_severity Major, updated_at 2022_03_17;)