alert tcp $HOME_NET any -> $EXTERNAL_NET !5938 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 104"; flow:established,to_server; app-layer-protocol:!tls; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; depth:21; fast_pattern; byte_test:4,<,65535,-14,relative,little; byte_test:4,<,65535,-10,relative,little; byte_jump:4,-10,relative,little,post_offset 3; isdataat:!2,relative; pcre:"/^.{9,28}\x78\x9c/s"; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2022401; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2016_01_22, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, confidence Medium, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2024_07_03;)