alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"STEALER [PTsecurity] WorldWind"; flow:established, to_server; content:"POST"; http_method; content:"/bot"; http_uri; depth:4; content:"/sendDocument?chat_id="; distance:44; http_uri; content:"&text="; distance:0; http_uri; content:"WorldWind"; http_uri; fast_pattern; content:"System:"; http_uri; content:"CPU:"; http_uri; content:"Screen:"; http_uri; content:!"Referer:"; http_header; threshold:type limit, track by_dst, count 1, seconds 120; reference:url, https://app.any.run/tasks/ab8f29a9-cf74-4f63-b296-dced2e5a2393; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10009186; rev:1;)