alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Grandoreiro Loader Checkin Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Clever Internet Suite"; http.uri; content:"/MX/"; content:".php?"; distance:0; content:"&OUT=&PG=&SO="; distance:0; content:"&AV="; distance:0; content:"&US="; distance:0; content:"&PC="; distance:0; content:"&EXE="; distance:0; fast_pattern; content:"&ST="; content:"&DTF="; distance:0; reference:md5,6433f9af678fcd387983d7afafae2af2; reference:url,www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals; classtype:trojan-activity; sid:2037002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, malware_family Grandoreiro, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_09_13;)