alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/UnkRAT RC4 Encrypted Payload Inbound"; flow:established,to_client; http.response_body; content:"|b3 4c 86 f4 77 36 f2 88 6a a6 82 2f 03 a7 f1 12 c9 1b 49 b9 a7 37 ae 20 f3 66 b7 41 91|"; startswith; fast_pattern; reference:md5,2b1aadc3c4eebdd8b4bbd4cbb1fb2468; classtype:trojan-activity; sid:2054103; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_06_27, deployment Perimeter, malware_family JS_UnkRAT, confidence High, signature_severity Critical, updated_at 2024_06_27;)