alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In"; flow:established,to_client; content:"|71 00 00 00 00|"; startswith; fast_pattern; content:!"|00|"; within:1; content:"|11 00 00 00|"; distance:112; within:5; content:!"|00|"; distance:1; within:1; threshold:type limit, track by_dst,seconds 30,count 1; reference:md5,cb0a4f14d441666ccb5d0b2f170a2d78; reference:url,app.any.run/tasks/e6be415f-589d-4491-a1cd-abf070510d31; reference:url,github.com/moom825/xeno-rat; reference:url,community.emergingthreats.net/t/xeno-rat/1290; classtype:command-and-control; sid:2050110; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_17, deployment Perimeter, malware_family XenoRat, confidence Medium, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_11;)