alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Async RAT CnC Activity (GET)"; flow:established,to_server; urilen:20; http.method; content:"GET"; http.uri; content:"|2e|php|3f|s|3d|"; isdataat:!4,relative; fast_pattern; pcre:"/\x2f\w\x20\w{5}\x20\w\x2ephp\x3fs\x3d\d{3}$/"; http.connection; content:"Keep-Alive"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:url,app.any.run/tasks/b7929820-33fd-4ed5-9a2f-8c835f529919/; reference:url,malware-traffic-analysis.net/2024/03/14/index.html; classtype:trojan-activity; sid:2052950; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_05_29, deployment Perimeter, malware_family AsyncRAT, confidence High, signature_severity Major, tag c2, updated_at 2024_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)