alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded"; flow:established,to_client; http.content_type; content:"text/plain"; startswith; http.response_body; content:"RUNPE"; nocase; content:"31,139,8,0,0,0,0,0,4,0,237,189,7,96"; within:50; fast_pattern; content:"82,101,109,111,116,101,83,105,103,110,101,100"; distance:0; reference:url,blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader; classtype:trojan-activity; sid:2034980; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_26;)