alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrickMo.Banker GET Config Request"; flow:established,to_server; flowbits:set,et.trickmoconfig; http.method; content:"GET"; http.uri; bsize:13; content:"/config?hash="; http.header; content:"|0d 0a|AID|3a 20| "; fast_pattern; reference:url,www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak; classtype:trojan-activity; sid:2057142; rev:1; metadata:affected_product Android, attack_target Mobile_Client, tls_state TLSDecrypt, created_at 2024_10_29, deployment Perimeter, deployment Internal, deployment SSLDecrypt, malware_family Android_TrickMo_Banker, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_10_29; target:src_ip;)