alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|2e|zip|3b 20|filename="; distance:1; within:15; content:"|2e|zip"; distance:1; within:4; endswith; http.response_body; content:"PK|03 04|"; startswith; content:"|2e|exe"; within:150; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:command-and-control; sid:2034872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_07, deployment Perimeter, malware_family PurpleFox, performance_impact Significant, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_10;)