alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Banload Downloading Executable"; flow:established,from_server; flowbits:isset,ET.autoit.ua; http.content_type; content:"image/"; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:md5,838ab7aacac590ea2e170888b2502a63; classtype:trojan-activity; sid:2019165; rev:4; metadata:created_at 2014_09_11, confidence Medium, signature_severity Major, updated_at 2020_06_24;)