alert http any any -> any any (msg:"STEALER [PTsecurity] SHub Requesting Commands"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/heartbeat"; endswith; http.header; content:"User-Agent|3a| curl/"; nocase; content:"Content-Type|3a| application/json"; nocase; content:!"Referer|3a|"; nocase; http.request_body; content:"{"; startswith; content:"|22|bot_id|22 3a|"; within:12; fast_pattern; content:"|22|build_id|22 3a|"; distance:0; content:"|22|hostname|22 3a|"; distance:0; content:"|22|ip|22 3a|"; distance:0; content:"|22|os"; distance:0; threshold:type limit, track by_dst, count 1, seconds 120; reference:url, www.virustotal.com/gui/file/ffb79953b8d822a5433f08e1e3958a0c7e9e856749a6d90c83b9e4ef5813a03a/detection; reference:url, intel.breakglass.tech/post/shub-stealer-v2-terafolt-live-c2-103-wallets-applescript-source; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10017278; rev:2;)