alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PeakLight/Emmenhtal Loader Payload Delivery Template Observed"; flow:established,to_client; http.response_body; content:"|3c|link|20|rel|3d 22|icon|22 20|href|3d|"; startswith; content:"build|2d|10158|2e|png|22 3e 0d 0a|"; distance:0; fast_pattern; content:"property|3d 22|og|3a|image|22 20|"; distance:0; content:"|5c|DavWWWRoot|5c|"; distance:0; content:"displayname=Downloads"; distance:0; reference:url,app.any.run/tasks/e2875d7e-7c85-4033-9508-4e986d598e2a; classtype:trojan-activity; sid:2058178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_12_11, deployment Perimeter, deployment SSLDecrypt, malware_family PeakLight, malware_family Emmenhtal, confidence Medium, signature_severity Major, updated_at 2024_12_11;)