alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DACLS RAT Log Collector Download"; flow:established,to_client; file_data; content:"ELF"; offset:1; depth:3; content:"UPX|21|4"; distance:0; content:"|2f|tmp|2f|hdv"; fast_pattern; distance:0; content:"_log"; distance:20; reference:md5,982bf527b9fe16205fea606d1beed7fa; reference:md5,793ed13e95f64aa38adc964efd86f6e6; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:trojan-activity; sid:2029880; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_10;)