Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected DonotGroup Dropper Telegram API Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot1624838777:AAGjNO7By4SqVdmXRlSPcde2DRinvDNYbzA/"; fast_pattern; startswith; http.host; content:"api.telegram.org"; bsize:16; reference:md5,00f6982debf7fc28b7e70b041bc22cf7; reference:md5,f23dd9acbf28f324b290b970fbc40b30; reference:url,tria.ge/210614-5mqbl1ecva/behavioral2; classtype:trojan-activity; sid:2033364; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_07_17;)