alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkPink KamiKakaBot CnC Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument"; startswith; content:"/sendDocument?chat_id="; distance:0; content:"?caption="; distance:0; http.content_type; content:"multipart|2f|form|2d|data|3b 20|boundary|3d 22|"; startswith; http.host; content:"api.telegram.org"; http.header; content:"100-continue"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d|document|3b 20|filename|3d|"; content:"|2d 5f|DATA|2e|zip|22 3b 20|filename|3d 2a|utf|2d|8|27|"; fast_pattern; content:"|2d 5f|DATA|2e|zip|0d 0a|"; reference:url,blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries; reference:url,valhalla.nextron-systems.com/info/rule/APT_DarkPink_KamiKakaBot_Mar23; classtype:trojan-activity; sid:2046076; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_05, deployment Perimeter, deployment SSLDecrypt, malware_family KamiKakaBot, confidence High, signature_severity Critical, tag DarkPink, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_05;)