alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, malware_family QRat, confidence High, signature_severity Major, tag Qrat, updated_at 2019_07_26;)