alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) HttpHeader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"AAAAAA"; endswith; http.accept; content:"*/*"; startswith; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|7|2e|0|3b 20|Windows|20|NT|20|6|2e|1|3b 20|WOW64|3b 20|Trident|2f|4|2e|0|3b 20|SLCC2|3b 20 2e|NET|20|CLR|20|2|2e|0|2e|50727|3b 20 2e|NET|20|CLR|20|3|2e|5|2e|30729|3b 20 2e|NET|20|CLR|20|3|2e|0|2e|30729|3b 20|Media|20|Center|20|PC|20|6|2e|0|3b 20 2e|NET4|2e|0C|3b 20 2e|NET4|2e|0E|29|"; startswith; http.host; content:"r.photo.store.qq.com"; fast_pattern; startswith; http.connection; content:"Keep-Alive"; startswith; http.header; content:"Accept-Encoding|3a 20|gzip, deflate"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2026688; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, malware_family Ransomware, malware_family Stealer, confidence High, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)