alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UNK_MonkeyWrench Payload Retrieval attempt"; http.method; content:"GET"; http.uri; content:"driver.exe"; fast_pattern; endswith; http.user_agent; content:"curl|2f|"; startswith; http.accept; bsize:3; content:"|2a 2f 2a|"; content:"|0d 0a|host|0d 0a|user-agent|0d 0a|accept|0d 0a 0d 0a|"; flow:established,to_server; reference:md5,7d0abcefe815b84f767eadba3b62df63; classtype:trojan-activity; sid:2068345; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state TLSDecrypt, created_at 2026_03_19, deployment Perimeter, deployment SSLDecrypt, malware_family UNK_MonkeyWrench, performance_impact Low, confidence High, signature_severity Major, updated_at 2026_03_19; target:src_ip;)