alert http any any -> any any (msg:"STEALER [PTsecurity] EncryptHub"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/bot"; depth:4; http.request_body; content:"|22|chat|5f|id|22 3a|"; depth:20; content:"|22|text|22 3a|"; distance:0; content:"|5c|nIP|3a|"; distance:0; fast_pattern; content:"|5c|nOS|3a|"; distance:0; reference:url, tria.ge/240706-b59jasvcqf/behavioral2/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011740; rev:1;)