alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [ANY.RUN] Possible Gh0stRat Checkin"; flow:established,to_client; dsize:24; content:"|78 9c 03 00 00 00 00 01|"; offset:16; depth:8; fast_pattern; flowbits:isnotset,srvrespghostbins; reference:url,any.run/cybersecurity-blog/gh0stbins-chinese-rat-malware-analysis/; classtype:trojan-activity; sid:2046662; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_26, deployment Perimeter, malware_family Gh0stRat, performance_impact Low, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_26, reviewed_at 2024_12_11;)