alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE Android/Revive Banking Trojan Initial Checkin Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /user/insert HTTP/1.1"; http.user_agent; content:"Linux|3b 20|"; http.header_names; content:!"Referer"; http.request_body; content:"|7b 22|phone|22 3a 22|"; fast_pattern; startswith; content:"|22 2c 22|android_version|22 3a 22|"; distance:0; content:"|22 2c 22|device_name|22 3a 22|"; distance:0; reference:md5,4240473028f88a3ef54f86f1cd387f24; reference:md5,cf704e63652c23c2d609e9a01659511c; reference:url,www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan; classtype:command-and-control; sid:2037262; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, malware_family Revive, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_07_05;)