alert http any any -> any any (msg:"REMOTE [PTsecurity] 9002RAT"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/?q="; depth:4; isdataat:7, relative; isdataat:!9, relative; pcre:"/^\/\?q=[a-f0-9]{8}$/U"; http.header; content:"User-Agent: User-Agent:Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537."; fast_pattern; content:"Cache-Control: no-cache"; content:!"Referer"; reference:url, https://www.virustotal.com/gui/file/28808164363d221ceb9cc48f7d9dbff8ba3fc5c562f5bea9fa3176df5dd7a41e/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011655; rev:1;)