alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmartLoader CnC Exfil (screen.bmp)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/loader/screen/"; startswith; http.request_body; content:"filename|3d 22|screen|2e|bmp|22 0d 0a 0d 0a 42 4d|"; fast_pattern; content:"name|3d 22|data|22 0d 0a 0d 0a 7b 22|data|22 3a 20|"; reference:url,community.emergingthreats.net/t/smartloader/1428; classtype:trojan-activity; sid:2051455; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_03_04, deployment Perimeter, malware_family SmartLoader, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_04;)