alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Backdoor.BlackMonay Checkin"; flow:established,to_server; http.uri; content:".Php?UserName="; nocase; content:"&Bank="; nocase; content:"&Money="; nocase; http.accept_lang; content:"zh-cn"; startswith; reference:md5,4a203e37caa2e04671388341419bda69; classtype:command-and-control; sid:2014306; rev:4; metadata:created_at 2012_03_05, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_21;)