Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "STEALER [PTsecurity] WorldWind"; flow: established, to_server; content: "POST"; http_method; content: "/bot"; http_uri; depth: 4; content: "/sendDocument?chat_id="; distance: 44; http_uri; content: "&text="; distance: 0; http_uri; content: "WorldWind"; http_uri; fast_pattern; content: "System:"; http_uri; content: "CPU:"; http_uri; content: "Screen:"; http_uri; content: !"Referer:"; http_header; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://app.any.run/tasks/ab8f29a9-cf74-4f63-b296-dced2e5a2393; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10009186; rev: 1;)