alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Retrieving RAR Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|en-us|3b 20|rv:1.9.2.3) Gecko/20100401 YFF35 Firefox/3.6.3"; depth:94; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020885; rev:6; metadata:created_at 2015_04_09, deprecation_reason Age, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_28, reviewed_at 2024_03_28;)