alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ASYNC RAT Payload Inbound"; flow:established,to_client; http.content_type; content:"image/"; startswith; http.response_body; content:"|ef bb bf 24|Content|20 3d 20 40 27 0d 0a 0d 0a 0d 0a 24|hexString"; startswith; fast_pattern; content:"|22|4D|5f|5A|5f|"; distance:0; reference:md5,918e30fc0444c809edc8bc13919e085a; classtype:trojan-activity; sid:2054659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_07_24, deployment Perimeter, malware_family AsyncRAT, confidence High, signature_severity Major, updated_at 2024_07_24;)