alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET RETIRED abubasbanditbot CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; startswith; content:"/sendMessage"; endswith; http.header; content:"host|3a 20|api.telegram.org"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; content:"|0d 0a|content-type|0d 0a|accept|0d 0a|host|0d 0a|content-length|0d 0a 0d 0a|"; http.request_body; content:"chat_id"; startswith; content:"&text|3d 25 44 30 25 39 34 25 44 30 25 42 42 25 44 31 25 38 46 2b 25 44 30 25 42 32 25 44 30 25 42 30 25 44 31 25 38 31 2b 25 44 31 25 38 32 25 44 31 25 38 30 25 44 31 25 38 33 25 44 30 25 42 34 25 44 30 25 42 38 25 44 31 25 38 32 25 44 31 25 38 31 25 44 31 25 38 46 2b 25 44 30 25 39 46 25 44 30 25 39 41 25 33 41 2b 25 32 33|"; fast_pattern; distance:0; pcre:"/^[A-F0-9]{8}-(?:[A-F0-9]{4}-){3}[A-F0-9]{12}$/R"; reference:md5,9bd1cc9b027a4420d6e4f780c50af93c; classtype:trojan-activity; sid:2047015; rev:2; metadata:created_at 2023_08_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_10_01, reviewed_at 2024_10_01; target:src_ip;)