alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded PowerShell Args Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x70|5c|x6F|5c|x77|5c|x65|5c|x72|5c|x73|5c|x68|5c|x65|5c|x6C|5c|x6C|5c|x2E|5c|x65|5c|x78|5c|x65"; content:"|5c|x2D|5c|x65|5c|x78|5c|x65|5c|x63|5c|x75|5c|x74|5c|x69|5c|x6F|5c|x6E|5c|x70|5c|x6F|5c|x6C|5c|x69|5c|x63|5c|x79|5c|x20|5c|x62|5c|x79|5c|x70|5c|x61|5c|x73|5c|x73"; distance:0; fast_pattern; content:"|5c|x2D|5c|x77|5c|x69|5c|x6E|5c|x64|5c|x6F|5c|x77|5c|x73|5c|x74|5c|x79|5c|x6C|5c|x65|5c|x20|5c|x68|5c|x69|5c|x64|5c|x64|5c|x65|5c|x6E"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026331; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, malware_family Xbash, performance_impact Low, confidence High, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_25;)