alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/de/?d="; startswith; fast_pattern; content:"&v="; distance:0; content:"&t="; distance:0; http.header_names; content:!"Referer"; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,d01bcca6255a4f062fc59a014f407532; reference:md5,2d459929135993959cacceb0dd81a813; classtype:command-and-control; sid:2031417; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_12_16;)