alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Randrew!rfn CnC Activity"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 30; http.request_body; content:"botversion="; depth:11; content:"xfor="; within:22; content:"winver="; within:33; reference:md5,74dd0e38deaf778e621434a2ca9c7c74; reference:url,microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:Win32/Randrew.A!bit; classtype:command-and-control; sid:2024955; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, malware_family Win32_Randrew_rfn, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2020_08_13;)