alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/W32.KRBanker.60928.C Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/upload.php"; http.header; content:"|0d 0a|Accept-Language|3a 20|zh-cn|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; bsize:50; http.request_body; content:"name=|22|upload_file1|22 3b 20|"; fast_pattern; content:".zip|22 0d 0a|"; content:"Content-Type|3a 20|application/x-zip-compressed|0d 0a|"; pcre:"/filename=\x22[A-Z]\x3a\\.+?\\[a-f0-9]{32}\.zip\x22\r\n/"; reference:md5,ec5d7bc9d84551066fff51e36bc41d4d; reference:md5,13bd584bb12ee5dc15c35f5911912b09; classtype:command-and-control; sid:2019828; rev:5; metadata:created_at 2014_12_01, signature_severity Major, updated_at 2020_09_28;)