alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"info"; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/"; http.request_line; content:"/get.php|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:10; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_04_18, deployment Perimeter, malware_family Android_Hqwar, signature_severity Major, tag Android, updated_at 2020_11_03, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)