alert http any any -> any any (msg:"BANKER [PTsecurity] Creduz Android Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/message"; startswith; endswith; http.header; content:"gzip"; content:"okhttp/"; content:!"Referer|3a|"; http.request_body; content:"name=|22|worker|22|"; depth:500; content:"name=|22|hashtag|22|"; distance:0; content:"name=|22|number|22|"; distance:0; content:"[SIM1|3a|"; distance:0; threshold:type limit, track by_dst, seconds 120, count 1; reference:url, tria.ge/250729-1z4tassqy6/behavioral3; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10014379; rev:2;)