alert http any any -> any any (msg:"STEALER [PTsecurity] Ares Initial Connection (APT TransparentTribe)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/api/"; http.user_agent; content:"python-requests"; http.header; content:"Accept-Encoding: gzip, deflate"; content:"Content-Type: multipart/form-data|3b| boundary="; content:!"Referer"; http.request_body; content:"Content-Disposition: form-data|3b| name=|22|uploaded|22 3b| filename=|22|list.txt|22|"; depth:120; fast_pattern; threshold:type limit, track by_src, seconds 120, count 1; reference:url, virustotal.com/gui/file/de4b4f2ec4489ffa873465683818b7db52bf914c3387dd1b84f2dd855a9a1171/; reference:url, www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10010710; rev:4;)