alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] DarkGate HTTP POST Activity (TA577)"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Keep-Alive|3a 20|300"; content:"Connection|3a 20|keep-alive"; distance:0; content:"Content-Type|3a 20|Application/octet-stream"; distance:0; content:"Content-Length|3a 20|74|0d 0a|"; distance:0; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|10|2e|0|3b 20|Win64|3b 20|x64|29 20|AppleWebKit|2f|537|2e|36|20 28|KHTML|2c 20|like|20|Gecko|29 20|Chrome|2f|123|2e|0|2e|0|2e|0|20|Safari|2f|537|2e|36"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Keep|2d|Alive|0d 0a|Connection|0d 0a|User|2d|Agent|0d 0a|Content|2d|Type|0d 0a|Content|2d|Length|0d 0a 0d 0a|"; startswith; http.request_body; bsize:74; pcre:"/^[a-zA-Z0-9=+]{74}$/"; content:!"="; endswith; threshold:type both, track by_dst, seconds 30, count 7; reference:md5,41f79463a8c3f98272fd22bad16c7393; reference:url,community.emergingthreats.net/t/darkgate-new-version; classtype:command-and-control; sid:2052283; rev:2; metadata:created_at 2024_04_29, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_30;)