alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Matanbuchus Loader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_len; byte_test:0,<,100,0,string,dec; http.response_body; content:"eyJoc3pBIjoi"; startswith; fast_pattern; pcre:"/(?:ifQ==|In0=|J9)$/"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034470; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, malware_family Matanbuchus, confidence High, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)