alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] TheBoxClipper (updatebildchange)"; flow:established,to_server; content:!"Host|3a 20|"; content:!"User-Agent|3a 20|"; http.request_line; content:"GET /updatebildchange/"; startswith; fast_pattern; pcre:"/\/(?:[a-f0-9]{32})$/R"; reference:md5,6cf851bf1c9f18c57e8567ee19a1269f; reference:url,app.any.run/tasks/5e18a292-b42e-4b64-931b-be3319aadaa3; reference:url,community.emergingthreats.net/t/theboxclipper/904; reference:url,twitter.com/James_inthe_box/status/1696566802094919995; classtype:trojan-activity; sid:2047823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2023_08_29, deployment Perimeter, malware_family TheBoxClipper, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_30, reviewed_at 2023_08_30;)