alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"LOADER [PTsecurity] SafeRAT"; flow:established, to_server; content:"GET"; http_method; urilen:12; content:"/payload.bin"; http_uri; depth:12; fast_pattern; content:"Connection: Keep-Alive|0d 0a|User-Agent: WinHTTP Example/1.0|0d 0a|Host:"; http_raw_header; depth:120; isdataat:!50, relative; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; reference:url, https://www.virustotal.com/gui/file/c226f1b68aecfe0efc2614882268041fc95ada881c930dd1e1fbc413f5727987; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10010260; rev:1;)