################################################################ # abuse.ch URLhaus IDS ruleset (Snort / Suricata) # # Last updated: 2019-01-20 22:28:07 (UTC) # # # # Terms Of Use: https://urlhaus.abuse.ch/api/ # # For questions please contact urlhaus [at] abuse.ch # ################################################################ # # url alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/soft/ltgj/18303/qqfhjfrj.exe"; http_uri; depth:29; isdataat:!1,relative; content:"d1.udashi.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106119/; classtype:trojan-activity;sid:80969219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106118/; classtype:trojan-activity;sid:80969218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106117/; classtype:trojan-activity;sid:80969217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106116/; classtype:trojan-activity;sid:80969216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106114/; classtype:trojan-activity;sid:80969214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nut"; http_uri; depth:4; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106115/; classtype:trojan-activity;sid:80969215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106113/; classtype:trojan-activity;sid:80969213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106112/; classtype:trojan-activity;sid:80969212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106111/; classtype:trojan-activity;sid:80969211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106110/; classtype:trojan-activity;sid:80969210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tftp"; http_uri; depth:5; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106109/; classtype:trojan-activity;sid:80969209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"188.161.62.65"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106108/; classtype:trojan-activity;sid:80969208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106107/; classtype:trojan-activity;sid:80969207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"177.62.104.249"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106106/; classtype:trojan-activity;sid:80969206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"64.74.98.177"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106105/; classtype:trojan-activity;sid:80969205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/6sy/dota%20hotkeys.exe"; http_uri; depth:23; isdataat:!1,relative; content:"media.dropdo.com.s3.amazonaws.com"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106104/; classtype:trojan-activity;sid:80969204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2016/10/0xb46ec142e2cfec1291689dc0d357cfe2/rs422-31.exe"; http_uri; depth:56; isdataat:!1,relative; content:"samples.repository.s3.amazonaws.com"; http_host; depth:35; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106103/; classtype:trojan-activity;sid:80969203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xp/arc.exe"; http_uri; depth:11; isdataat:!1,relative; content:"media.dropdo.com.s3.amazonaws.com"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106102/; classtype:trojan-activity;sid:80969202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/offers/2/chrome_search.exe"; http_uri; depth:27; isdataat:!1,relative; content:"cdn.openinstall.com.s3.amazonaws.com"; http_host; depth:36; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106099/; classtype:trojan-activity;sid:80969199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/products/vroot/2013/17235968/vroot_1.7.0.3825_setup.exe"; http_uri; depth:62; isdataat:!1,relative; content:"cdnpic.mgyun.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106098/; classtype:trojan-activity;sid:80969198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/products/vroot/2013/17039360/vroot_1.4.0.2955_setup_183.exe"; http_uri; depth:66; isdataat:!1,relative; content:"cdnpic.mgyun.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106097/; classtype:trojan-activity;sid:80969197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cjtaoke2.9.5.0.exe"; http_uri; depth:19; isdataat:!1,relative; content:"ocrn597v5.bkt.clouddn.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106096/; classtype:trojan-activity;sid:80969196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lysetup.exe"; http_uri; depth:12; isdataat:!1,relative; content:"down.leyoucoc.cn"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106095/; classtype:trojan-activity;sid:80969195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zsgj/ravmofei.exe"; http_uri; depth:18; isdataat:!1,relative; content:"download.rising.com.cn"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106094/; classtype:trojan-activity;sid:80969194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zsgj/ravmgf.exe"; http_uri; depth:16; isdataat:!1,relative; content:"download.rising.com.cn"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106093/; classtype:trojan-activity;sid:80969193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a.exe"; http_uri; depth:6; isdataat:!1,relative; content:"futurealind.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106092/; classtype:trojan-activity;sid:80969192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"179.162.177.249"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106091/; classtype:trojan-activity;sid:80969191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/updater/newupate.exe"; http_uri; depth:21; isdataat:!1,relative; content:"config.myjhxl.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106090/; classtype:trojan-activity;sid:80969190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/css/javaw.exe"; http_uri; depth:14; isdataat:!1,relative; content:"ninabijoux.com.br"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106089/; classtype:trojan-activity;sid:80969189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2017/06/lxsetupv8.1.exe"; http_uri; depth:24; isdataat:!1,relative; content:"pc.xzstatic.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106088/; classtype:trojan-activity;sid:80969188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js/fancybox/zxcv09h8g76f5d4f5g6hj7k8lj7h6g5f4dsg4h5j6kl78ytf4uh5ij67hygt6dr5ej9nhbgyvfty87vyg6b5hu4jnikm3j4n5hu6ygtu7f8yrdtfu7yg6hnji5m4n5hbgvf6cd7xtc6r7tf6uo5ij4/dolbysoud.exe"; http_uri; depth:177; isdataat:!1,relative; content:"ninabijoux.com.br"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106087/; classtype:trojan-activity;sid:80969187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/downloads/fxtraderlog_upgrade.exe"; http_uri; depth:34; isdataat:!1,relative; content:"fxtraderlog.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106086/; classtype:trojan-activity;sid:80969186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bbs/data/attachment/forum/201212/20/10301044ex3m3s62emr1r7.docn=weyvuwtgv3lkzjlt6xln7norq3nrqhnkiblilbluqyuzg9j"; http_uri; depth:112; isdataat:!1,relative; content:"files.hrloo.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106085/; classtype:trojan-activity;sid:80969185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xbpic/fmt/v1.0.1.17/fmt_01.exe"; http_uri; depth:31; isdataat:!1,relative; content:"download.fahpvdxw.cn"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106084/; classtype:trojan-activity;sid:80969184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.spc"; http_uri; depth:9; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106082/; classtype:trojan-activity;sid:80969182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.mips"; http_uri; depth:10; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106081/; classtype:trojan-activity;sid:80969181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"167.114.186.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106080/; classtype:trojan-activity;sid:80969180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"167.114.186.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106078/; classtype:trojan-activity;sid:80969178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"167.114.186.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106079/; classtype:trojan-activity;sid:80969179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"167.114.186.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106077/; classtype:trojan-activity;sid:80969177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bbs/data/attachment/forum/201212/20/10301044ex3m3s62emr1r7.doc"; http_uri; depth:63; isdataat:!1,relative; content:"files.hrloo.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106076/; classtype:trojan-activity;sid:80969176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"85.99.111.150"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106075/; classtype:trojan-activity;sid:80969175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"180.247.147.100"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106074/; classtype:trojan-activity;sid:80969174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"220.132.38.177"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106073/; classtype:trojan-activity;sid:80969173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"178.211.167.190"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106072/; classtype:trojan-activity;sid:80969172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d5/client42800.exe"; http_uri; depth:19; isdataat:!1,relative; content:"wbd.5636.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106071/; classtype:trojan-activity;sid:80969171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/autopk.exe"; http_uri; depth:18; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106070/; classtype:trojan-activity;sid:80969170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/vulanpk/vulanpk.exe"; http_uri; depth:27; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106069/; classtype:trojan-activity;sid:80969169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/raovatctc.exe"; http_uri; depth:21; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106068/; classtype:trojan-activity;sid:80969168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/loginpvtk.exe"; http_uri; depth:21; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106067/; classtype:trojan-activity;sid:80969167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/vlmplogin.exe"; http_uri; depth:21; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106066/; classtype:trojan-activity;sid:80969166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/loginctcus.exe"; http_uri; depth:22; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106065/; classtype:trojan-activity;sid:80969165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bbs/data/attachment/forum/201212/20/10301044ex3m3s62emr1r7.docn=w+eyvuwtgv3lkzjlt6xln7norq3nrqhnkiblilbluqyuzg9j"; http_uri; depth:113; isdataat:!1,relative; content:"files.hrloo.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106064/; classtype:trojan-activity;sid:80969164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xbpic/mini/v1.0.1.17/mini_01.exe"; http_uri; depth:33; isdataat:!1,relative; content:"download.fahpvdxw.cn"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106063/; classtype:trojan-activity;sid:80969163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openlink/openlink1.exe"; http_uri; depth:23; isdataat:!1,relative; content:"www.wyptk.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106062/; classtype:trojan-activity;sid:80969162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d5/5636.exe"; http_uri; depth:12; isdataat:!1,relative; content:"wbd.5636.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106061/; classtype:trojan-activity;sid:80969161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/ctctanthu.exe"; http_uri; depth:21; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106060/; classtype:trojan-activity;sid:80969160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zsgj/ravnetsky.exe"; http_uri; depth:19; isdataat:!1,relative; content:"download.rising.com.cn"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106059/; classtype:trojan-activity;sid:80969159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/vltknhatrac.exe"; http_uri; depth:23; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106058/; classtype:trojan-activity;sid:80969158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/soft/dnyx/20348/%e5%b0%8f%e8%8d%89%e8%be%85%e5%8a%a9%e6%9c%80%e6%96%b0%e7%89%88.exe"; http_uri; depth:84; isdataat:!1,relative; content:"d1.udashi.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106057/; classtype:trojan-activity;sid:80969157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/vltkbacdau.exe"; http_uri; depth:22; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106056/; classtype:trojan-activity;sid:80969156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/s4remnantspatcher/s4lremnants.exe"; http_uri; depth:34; isdataat:!1,relative; content:"check-s4r.dedk.eu"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106055/; classtype:trojan-activity;sid:80969155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d5/client62156.exe"; http_uri; depth:19; isdataat:!1,relative; content:"wbd.5636.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106053/; classtype:trojan-activity;sid:80969153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/hwgdfyp.png/download"; http_uri; depth:28; isdataat:!1,relative; content:"pasteboard.co"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106051/; classtype:trojan-activity;sid:80969151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xxx/updatewin2.exe"; http_uri; depth:19; isdataat:!1,relative; content:"rosalos.ug"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106050/; classtype:trojan-activity;sid:80969150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xxx/updatewin1.exe"; http_uri; depth:19; isdataat:!1,relative; content:"rosalos.ug"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106049/; classtype:trojan-activity;sid:80969149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xxx/updatewin.exe"; http_uri; depth:18; isdataat:!1,relative; content:"rosalos.ug"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106048/; classtype:trojan-activity;sid:80969148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xxx/39.exe"; http_uri; depth:11; isdataat:!1,relative; content:"rosalos.ug"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106047/; classtype:trojan-activity;sid:80969147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ggesuy.jpg"; http_uri; depth:11; isdataat:!1,relative; content:"pomf.pyonpyon.moe"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106046/; classtype:trojan-activity;sid:80969146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/setupjsgspdf_4416.exe"; http_uri; depth:22; isdataat:!1,relative; content:"down.pdflist.cqhbkjzx.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106044/; classtype:trojan-activity;sid:80969144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pifu/tubiao/mianbao.exe"; http_uri; depth:24; isdataat:!1,relative; content:"cf.uuu9.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106043/; classtype:trojan-activity;sid:80969143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/c5.exe"; http_uri; depth:7; isdataat:!1,relative; content:"dk5gckyelnxjl.cloudfront.net"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106042/; classtype:trojan-activity;sid:80969142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"177.18.10.8"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106041/; classtype:trojan-activity;sid:80969141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"5.204.170.150"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106040/; classtype:trojan-activity;sid:80969140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rm/fixvidio.zip"; http_uri; depth:16; isdataat:!1,relative; content:"pcr1.pc6.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106039/; classtype:trojan-activity;sid:80969139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bug/jkpic/jikepicupfile.exe"; http_uri; depth:28; isdataat:!1,relative; content:"config.wwmhdq.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106037/; classtype:trojan-activity;sid:80969137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/ctckeoxe2.exe"; http_uri; depth:21; isdataat:!1,relative; content:"kimyen.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106036/; classtype:trojan-activity;sid:80969136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xiao/llk00.exe"; http_uri; depth:15; isdataat:!1,relative; content:"sgm.pc6.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106035/; classtype:trojan-activity;sid:80969135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xiao4/kongjiangbing_65337.exe"; http_uri; depth:30; isdataat:!1,relative; content:"sgm.pc6.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106034/; classtype:trojan-activity;sid:80969134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bug/jkpic/sub/geekpicmpage.exe"; http_uri; depth:31; isdataat:!1,relative; content:"config.wwmhdq.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106033/; classtype:trojan-activity;sid:80969133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dodonew1137/donewk.exe"; http_uri; depth:23; isdataat:!1,relative; content:"cu.dodonew.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106032/; classtype:trojan-activity;sid:80969132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xiao5/alphaballsetup.exe"; http_uri; depth:25; isdataat:!1,relative; content:"sgm.pc6.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106031/; classtype:trojan-activity;sid:80969131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xiao1/flashxiuxian.exe"; http_uri; depth:23; isdataat:!1,relative; content:"sgm.pc6.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106030/; classtype:trojan-activity;sid:80969130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xiao2/h0mm4trainer.exe"; http_uri; depth:23; isdataat:!1,relative; content:"sgm.pc6.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106029/; classtype:trojan-activity;sid:80969129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wgz174/%e5%be%ae%e8%b4%ad%e7%8c%aa.exe"; http_uri; depth:39; isdataat:!1,relative; content:"upgrade.shihuizhu.net"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106027/; classtype:trojan-activity;sid:80969127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/updatefiles/client.exe"; http_uri; depth:23; isdataat:!1,relative; content:"update.yalian1000.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106026/; classtype:trojan-activity;sid:80969126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/5/20121217/634913135817656250813.exe"; http_uri; depth:37; isdataat:!1,relative; content:"img54.hbzhan.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106024/; classtype:trojan-activity;sid:80969124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xiao4/baiwangfuweng_70563.exe"; http_uri; depth:30; isdataat:!1,relative; content:"sgm.pc6.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106023/; classtype:trojan-activity;sid:80969123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/102015/%e5%ae%9e%e6%83%a0%e7%8c%aa.exe"; http_uri; depth:39; isdataat:!1,relative; content:"upgrade.shihuizhu.net"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106022/; classtype:trojan-activity;sid:80969122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/telnet.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106021/; classtype:trojan-activity;sid:80969121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/soft/25956/cs.exe"; http_uri; depth:18; isdataat:!1,relative; content:"d2.udashi.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106019/; classtype:trojan-activity;sid:80969119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rrt/c3cd4f987c6a3cde42d9115e83f24ca0/46080855/5e28b83e42d0acb1659d2df5be51faa0.doc"; http_uri; depth:83; isdataat:!1,relative; content:"ah.download.cycore.cn"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106018/; classtype:trojan-activity;sid:80969118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bug/lightningzip/sub/lightningzipex.exe"; http_uri; depth:40; isdataat:!1,relative; content:"config.wulishow.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106017/; classtype:trojan-activity;sid:80969117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bug/lightningzip/sub/lightningzippage.exe"; http_uri; depth:42; isdataat:!1,relative; content:"config.wulishow.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106016/; classtype:trojan-activity;sid:80969116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/soft/27947/yourzyxf.exe"; http_uri; depth:24; isdataat:!1,relative; content:"d2.udashi.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_20; reference:url, urlhaus.abuse.ch/url/106015/; classtype:trojan-activity;sid:80969115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/soft/24536/sina2.5.1.exe"; http_uri; depth:25; isdataat:!1,relative; content:"d2.udashi.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106014/; classtype:trojan-activity;sid:80969114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xjbqsetup_4308.exe"; http_uri; depth:19; isdataat:!1,relative; content:"down.soft.hyzmbz.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106013/; classtype:trojan-activity;sid:80969113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/soft/29691/icoshengchengqi.exe"; http_uri; depth:31; isdataat:!1,relative; content:"d2.udashi.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106012/; classtype:trojan-activity;sid:80969112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/soft/27957/dqeswds1.0.exe"; http_uri; depth:26; isdataat:!1,relative; content:"d2.udashi.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106011/; classtype:trojan-activity;sid:80969111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/setup4308.exe"; http_uri; depth:14; isdataat:!1,relative; content:"down.soft.hyzmbz.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106010/; classtype:trojan-activity;sid:80969110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file.exe"; http_uri; depth:9; isdataat:!1,relative; content:"listmyfloor.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106009/; classtype:trojan-activity;sid:80969109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin135.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106008/; classtype:trojan-activity;sid:80969108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"220.135.8.93"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106007/; classtype:trojan-activity;sid:80969107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin128.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106006/; classtype:trojan-activity;sid:80969106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mjsoft/config/llctk/llctk.exe"; http_uri; depth:30; isdataat:!1,relative; content:"121.41.0.159"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106005/; classtype:trojan-activity;sid:80969105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xunjiesetup_4338.exe"; http_uri; depth:21; isdataat:!1,relative; content:"down.softlist.hyzmbz.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106004/; classtype:trojan-activity;sid:80969104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin133.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106003/; classtype:trojan-activity;sid:80969103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jd/jd156.exe"; http_uri; depth:13; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106002/; classtype:trojan-activity;sid:80969102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xunjiesetup_4308.exe"; http_uri; depth:21; isdataat:!1,relative; content:"down.softlist.hyzmbz.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106001/; classtype:trojan-activity;sid:80969101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin130.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106000/; classtype:trojan-activity;sid:80969100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin142.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105999/; classtype:trojan-activity;sid:80969099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jd/jd124.exe"; http_uri; depth:13; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105998/; classtype:trojan-activity;sid:80969098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin141.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105997/; classtype:trojan-activity;sid:80969097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jd/jd127.exe"; http_uri; depth:13; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105996/; classtype:trojan-activity;sid:80969096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/huanlezuqiuzhongwenban.exe"; http_uri; depth:27; isdataat:!1,relative; content:"wt90.downyouxi.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105995/; classtype:trojan-activity;sid:80969095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin146.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105994/; classtype:trojan-activity;sid:80969094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rrt/32287da69c40a12819fe3874d0b63e66/73728155/684642c35e6d9fa859d961031ed2f626.doc"; http_uri; depth:83; isdataat:!1,relative; content:"ah.download.cycore.cn"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105993/; classtype:trojan-activity;sid:80969093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jd/jd145.exe"; http_uri; depth:13; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105992/; classtype:trojan-activity;sid:80969092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin140.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105991/; classtype:trojan-activity;sid:80969091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/wpex-pytheas/functions/meta/gallery-metabox/sserv.jpg"; http_uri; depth:72; isdataat:!1,relative; content:"clarabellebaby.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105990/; classtype:trojan-activity;sid:80969090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin131.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105989/; classtype:trojan-activity;sid:80969089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jd/jd144.exe"; http_uri; depth:13; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105988/; classtype:trojan-activity;sid:80969088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jd/jd138.exe"; http_uri; depth:13; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105987/; classtype:trojan-activity;sid:80969087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jianlingminzhongwenban.exe"; http_uri; depth:27; isdataat:!1,relative; content:"wt90.downyouxi.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105986/; classtype:trojan-activity;sid:80969086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jd/jd136.exe"; http_uri; depth:13; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105985/; classtype:trojan-activity;sid:80969085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/~pister/245/fa99/hw/hw1/ee2451.doc"; http_uri; depth:35; isdataat:!1,relative; content:"www-bsac.eecs.berkeley.edu"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105984/; classtype:trojan-activity;sid:80969084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/furasshu.x86"; http_uri; depth:18; isdataat:!1,relative; content:"104.248.197.246"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105983/; classtype:trojan-activity;sid:80969083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/telnet.x32"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105982/; classtype:trojan-activity;sid:80969082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/telnet.mips"; http_uri; depth:17; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105980/; classtype:trojan-activity;sid:80969080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/telnet.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105981/; classtype:trojan-activity;sid:80969081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/telnet.arm"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105979/; classtype:trojan-activity;sid:80969079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/chaojimanhuayingxiongduijietoubawang.exe"; http_uri; depth:41; isdataat:!1,relative; content:"wt90.downyouxi.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105978/; classtype:trojan-activity;sid:80969078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hl3.3.8.0.exe"; http_uri; depth:14; isdataat:!1,relative; content:"files.fqapps.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105977/; classtype:trojan-activity;sid:80969077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin139.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105976/; classtype:trojan-activity;sid:80969076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jd/jd137.exe"; http_uri; depth:13; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105975/; classtype:trojan-activity;sid:80969075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/setupxunjie.exe"; http_uri; depth:16; isdataat:!1,relative; content:"down.soft.hyzmbz.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105974/; classtype:trojan-activity;sid:80969074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"89.165.4.105"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105973/; classtype:trojan-activity;sid:80969073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"179.110.14.13"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105972/; classtype:trojan-activity;sid:80969072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xunjiesetup_4317.exe"; http_uri; depth:21; isdataat:!1,relative; content:"down.softlist.hyzmbz.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105971/; classtype:trojan-activity;sid:80969071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/loco/themes/sserv.jpg"; http_uri; depth:43; isdataat:!1,relative; content:"iocho.org"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105970/; classtype:trojan-activity;sid:80969070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/podcast/sserv.jpg"; http_uri; depth:18; isdataat:!1,relative; content:"brainchildmultimediagroup.com"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105969/; classtype:trojan-activity;sid:80969069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/ssj.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"nexusdental.com.mx"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105968/; classtype:trojan-activity;sid:80969068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/ssj.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"clinicasleven.com.mx"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105967/; classtype:trojan-activity;sid:80969067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcoin/qcoin138.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cdn-10049480.file.myqcloud.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105966/; classtype:trojan-activity;sid:80969066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cob93.exe"; http_uri; depth:10; isdataat:!1,relative; content:"www.aysemanay.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105965/; classtype:trojan-activity;sid:80969065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payload.exe"; http_uri; depth:12; isdataat:!1,relative; content:"iloveyoupizdec2.info"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105964/; classtype:trojan-activity;sid:80969064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payload.exe"; http_uri; depth:12; isdataat:!1,relative; content:"kristinka2.life"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105963/; classtype:trojan-activity;sid:80969063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/loco/themes/ssj.jpg"; http_uri; depth:41; isdataat:!1,relative; content:"iocho.org"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105962/; classtype:trojan-activity;sid:80969062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.tmb/sserv.jpg"; http_uri; depth:15; isdataat:!1,relative; content:"clarabellebaby.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105961/; classtype:trojan-activity;sid:80969061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/free/cash.exe"; http_uri; depth:14; isdataat:!1,relative; content:"startupinternetmarketing.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105960/; classtype:trojan-activity;sid:80969060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js2/cwq1"; http_uri; depth:9; isdataat:!1,relative; content:"almasoodgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105959/; classtype:trojan-activity;sid:80969059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js2/cwq"; http_uri; depth:8; isdataat:!1,relative; content:"almasoodgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105958/; classtype:trojan-activity;sid:80969058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/ssj.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"integramultimedia.com.mx"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105957/; classtype:trojan-activity;sid:80969057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payload.exe"; http_uri; depth:12; isdataat:!1,relative; content:"kristinka6.life"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105956/; classtype:trojan-activity;sid:80969056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"31.168.213.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105955/; classtype:trojan-activity;sid:80969055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"2.186.112.113"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105954/; classtype:trojan-activity;sid:80969054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"177.139.57.151"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105953/; classtype:trojan-activity;sid:80969053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"14.43.233.212"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105952/; classtype:trojan-activity;sid:80969052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/api/5f029c09dea6b04687b22844fba7d0fe/1001.exe"; http_uri; depth:46; isdataat:!1,relative; content:"downfilepro.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105951/; classtype:trojan-activity;sid:80969051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/awaken/js/ssj.jpg"; http_uri; depth:36; isdataat:!1,relative; content:"gamedoithuong.info"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105950/; classtype:trojan-activity;sid:80969050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ipp/gen/gen/gen/gen/phone.exe"; http_uri; depth:30; isdataat:!1,relative; content:"202.55.178.35"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105949/; classtype:trojan-activity;sid:80969049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zz/barqqk.exe"; http_uri; depth:14; isdataat:!1,relative; content:"download.u7pk.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105948/; classtype:trojan-activity;sid:80969048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zz/bdpm.exe"; http_uri; depth:12; isdataat:!1,relative; content:"download.u7pk.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105947/; classtype:trojan-activity;sid:80969047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdfreader/fmt/v1.0.1.17/fmt_01.exe"; http_uri; depth:35; isdataat:!1,relative; content:"download.pdf00.cn"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105946/; classtype:trojan-activity;sid:80969046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ipp/gen/gen/gen/gen/gen/gen/phone.exe"; http_uri; depth:38; isdataat:!1,relative; content:"202.55.178.35"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105945/; classtype:trojan-activity;sid:80969045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ipp/gen/gen/phone.exe"; http_uri; depth:22; isdataat:!1,relative; content:"202.55.178.35"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105944/; classtype:trojan-activity;sid:80969044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/atahualpa353/functions/efax_1225500012.doc"; http_uri; depth:61; isdataat:!1,relative; content:"babyparrots.it"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105943/; classtype:trojan-activity;sid:80969043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zz/niuniu2.exe"; http_uri; depth:15; isdataat:!1,relative; content:"download.u7pk.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105942/; classtype:trojan-activity;sid:80969042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ipp/gen/gen/gen/phone.exe"; http_uri; depth:26; isdataat:!1,relative; content:"202.55.178.35"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105941/; classtype:trojan-activity;sid:80969041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zz/niuniu3.exe"; http_uri; depth:15; isdataat:!1,relative; content:"download.u7pk.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105940/; classtype:trojan-activity;sid:80969040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zz/w47.exe"; http_uri; depth:11; isdataat:!1,relative; content:"download.u7pk.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105939/; classtype:trojan-activity;sid:80969039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jobs/cgi/12609223.jpg"; http_uri; depth:22; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105938/; classtype:trojan-activity;sid:80969038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"77.79.190.82"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105937/; classtype:trojan-activity;sid:80969037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/warkey2013.zip"; http_uri; depth:15; isdataat:!1,relative; content:"bd173.9pj8m.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105936/; classtype:trojan-activity;sid:80969036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/api/9a7e880d7c30808c13258fe5793e2de6/1001.exe"; http_uri; depth:46; isdataat:!1,relative; content:"downfilepro.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105935/; classtype:trojan-activity;sid:80969035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"5.167.53.163"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105934/; classtype:trojan-activity;sid:80969034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"47.186.74.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105933/; classtype:trojan-activity;sid:80969033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"177.206.121.57"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105932/; classtype:trojan-activity;sid:80969032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"1.34.159.106"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105931/; classtype:trojan-activity;sid:80969031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"187.175.42.227"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105930/; classtype:trojan-activity;sid:80969030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"84.214.54.35"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105929/; classtype:trojan-activity;sid:80969029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"103.51.249.64"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105928/; classtype:trojan-activity;sid:80969028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/atahualpa353/functions/efax_1225500012.doc"; http_uri; depth:61; isdataat:!1,relative; content:"www.babyparrots.it"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105927/; classtype:trojan-activity;sid:80969027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/v51-43278303571t52461879095979372.zip"; http_uri; depth:38; isdataat:!1,relative; content:"solaryug.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105926/; classtype:trojan-activity;sid:80969026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/manage/syscheck1.exe"; http_uri; depth:21; isdataat:!1,relative; content:"firstzone.download"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105925/; classtype:trojan-activity;sid:80969025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmp/arphost.exe"; http_uri; depth:16; isdataat:!1,relative; content:"firstzone.download"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105924/; classtype:trojan-activity;sid:80969024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/manage/main.doc"; http_uri; depth:16; isdataat:!1,relative; content:"firstzone.download"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105922/; classtype:trojan-activity;sid:80969022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/r.exe"; http_uri; depth:6; isdataat:!1,relative; content:"107.172.3.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105921/; classtype:trojan-activity;sid:80969021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/denebt/gasby.exe"; http_uri; depth:17; isdataat:!1,relative; content:"supportwip.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105920/; classtype:trojan-activity;sid:80969020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kkkkkk/fajey.exe"; http_uri; depth:17; isdataat:!1,relative; content:"supportwip.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105919/; classtype:trojan-activity;sid:80969019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/starbotg/gasby.exe"; http_uri; depth:19; isdataat:!1,relative; content:"supportwip.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105918/; classtype:trojan-activity;sid:80969018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/sserv.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"integramultimedia.com.mx"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105917/; classtype:trojan-activity;sid:80969017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/galjp-ra_noqrx-s0i/invoicecodechanges/us_us/need-to-send-the-attachment/"; http_uri; depth:73; isdataat:!1,relative; content:"glazastiks.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105916/; classtype:trojan-activity;sid:80969016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/messages/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"pojbez31.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105915/; classtype:trojan-activity;sid:80969015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/details/2019-01/"; http_uri; depth:27; isdataat:!1,relative; content:"pkmsolutions.com.my"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105914/; classtype:trojan-activity;sid:80969014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"kiber-soft.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105913/; classtype:trojan-activity;sid:80969013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/sserv.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"fastimmo.fr"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105912/; classtype:trojan-activity;sid:80969012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/sketch/qbct.exe"; http_uri; depth:34; isdataat:!1,relative; content:"www.advavoltiberica.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105911/; classtype:trojan-activity;sid:80969011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/web/web.exe"; http_uri; depth:12; isdataat:!1,relative; content:"y0.strangled.net"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105910/; classtype:trojan-activity;sid:80969010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/js/435/akls.exe"; http_uri; depth:25; isdataat:!1,relative; content:"aussietruffles.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105909/; classtype:trojan-activity;sid:80969009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/premisrecerca/sites/1501.zip"; http_uri; depth:29; isdataat:!1,relative; content:"www.url.edu"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105908/; classtype:trojan-activity;sid:80969008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3.exe"; http_uri; depth:6; isdataat:!1,relative; content:"193.151.91.163"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105907/; classtype:trojan-activity;sid:80969007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/~odyssey/royt/po098766677.exe"; http_uri; depth:30; isdataat:!1,relative; content:"host.workskillsweb.net"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105906/; classtype:trojan-activity;sid:80969006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/~odyssey/royt/pi0998787_doc.exe"; http_uri; depth:32; isdataat:!1,relative; content:"host.workskillsweb.net"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105905/; classtype:trojan-activity;sid:80969005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/~odyssey/royt/pi0976567.exe"; http_uri; depth:28; isdataat:!1,relative; content:"host.workskillsweb.net"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105904/; classtype:trojan-activity;sid:80969004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js3/svch"; http_uri; depth:9; isdataat:!1,relative; content:"almasoodgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105903/; classtype:trojan-activity;sid:80969003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js3/pdfviewer.sct"; http_uri; depth:18; isdataat:!1,relative; content:"almasoodgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105902/; classtype:trojan-activity;sid:80969002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js3/pdfviewer.msi"; http_uri; depth:18; isdataat:!1,relative; content:"almasoodgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105901/; classtype:trojan-activity;sid:80969001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js3/pdfjviewer.sct"; http_uri; depth:19; isdataat:!1,relative; content:"almasoodgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105900/; classtype:trojan-activity;sid:80969000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js3/pdfjviewer.msi"; http_uri; depth:19; isdataat:!1,relative; content:"almasoodgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105899/; classtype:trojan-activity;sid:80968999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js3/mstsc"; http_uri; depth:10; isdataat:!1,relative; content:"almasoodgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105898/; classtype:trojan-activity;sid:80968998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/sserv.jpg"; http_uri; depth:26; isdataat:!1,relative; content:"immobiliere-olivier.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105897/; classtype:trojan-activity;sid:80968997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zxla-4r_rd-ud5/ach/paymentadvice/en/service-invoice/"; http_uri; depth:53; isdataat:!1,relative; content:"www.panafspace.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105896/; classtype:trojan-activity;sid:80968996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xvet-zsn_kq-dad/paymentstatus/us/invoice-1866321-january/"; http_uri; depth:58; isdataat:!1,relative; content:"wijdoenbeter.be"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105895/; classtype:trojan-activity;sid:80968995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vtzti-an_tkrqs-94/paymentstatus/us_us/invoice-number-872839/"; http_uri; depth:61; isdataat:!1,relative; content:"washuis.nl"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105894/; classtype:trojan-activity;sid:80968994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/goaq-yog_n-uw6/ref/2606341144en_us/scan/"; http_uri; depth:41; isdataat:!1,relative; content:"thevesuvio.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105893/; classtype:trojan-activity;sid:80968993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sitdb-to_a-6g/us_us/outstanding-invoices/"; http_uri; depth:42; isdataat:!1,relative; content:"temptest123.reveance.nl"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105892/; classtype:trojan-activity;sid:80968992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iqgz-39o_sx-wr8/rjzj-q9oj_swuryxl-g1/invoices/4092/07436/en/inv-845562-po-0l433922/"; http_uri; depth:84; isdataat:!1,relative; content:"swanpark.dothidongsaigon.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105891/; classtype:trojan-activity;sid:80968991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbw-yv_awoehadx-jm4/invoice/en/companies-invoice-84280381/"; http_uri; depth:60; isdataat:!1,relative; content:"rahkarinoo.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105890/; classtype:trojan-activity;sid:80968990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ayco-8o3m_pytxsgxnn-lp/invoice/en_en/ach-form/"; http_uri; depth:47; isdataat:!1,relative; content:"photomoura.ir"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105889/; classtype:trojan-activity;sid:80968989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/site/cache/ajax_login_form/bfxsu-jhhn_umqs-po/ach/paymentadvice/us/service-report-14175/"; http_uri; depth:89; isdataat:!1,relative; content:"megatramtg.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105888/; classtype:trojan-activity;sid:80968988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/irwab-f1ud_agyjalfdt-j9/en_us/scan/"; http_uri; depth:36; isdataat:!1,relative; content:"masswheyshop.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105887/; classtype:trojan-activity;sid:80968987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xzjki-yspd_e-xtn/invoicecodechanges/en_en/overdue-payment/"; http_uri; depth:59; isdataat:!1,relative; content:"kleinamsterdam.be"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105886/; classtype:trojan-activity;sid:80968986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/atkq-kuu_nnn-evp/invoice/us/inv-25688-po-1o647571/"; http_uri; depth:51; isdataat:!1,relative; content:"hembacka.fi"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105885/; classtype:trojan-activity;sid:80968985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmtlw-w2clf_hsmlqpnnq-pgg/j33/invoicing/us/invoice/"; http_uri; depth:52; isdataat:!1,relative; content:"ftp.spbv.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105884/; classtype:trojan-activity;sid:80968984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rrzfk-0rzj_jub-qc/invoice/13887/overpayment/en_us/new-order/"; http_uri; depth:61; isdataat:!1,relative; content:"excellenceconstructiongroup.com"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105883/; classtype:trojan-activity;sid:80968983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ladk-5ur_ckhf-jg8/invoice/94996/overpayment/en_en/past-due-invoices/"; http_uri; depth:69; isdataat:!1,relative; content:"csrcampaign.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105882/; classtype:trojan-activity;sid:80968982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/etdpv-iwvf_emvbnpknv-5e/ach/paymentinfo/en/0-past-due-invoices/"; http_uri; depth:64; isdataat:!1,relative; content:"animoderne.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105881/; classtype:trojan-activity;sid:80968981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/pki-validation/sserv.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"ahmic.pro"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105880/; classtype:trojan-activity;sid:80968980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/programy/windows/dodatki/wtyczki_do_komunikatorow/stronggg_www.instalki.pl.exe"; http_uri; depth:79; isdataat:!1,relative; content:"download.instalki.org"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105879/; classtype:trojan-activity;sid:80968979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kglp-2zo0_q-frg/invoice/41749/overpayment/us/overdue-payment/"; http_uri; depth:62; isdataat:!1,relative; content:"web.pa-cirebon.go.id"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105877/; classtype:trojan-activity;sid:80968977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://ar.caginerhastanesi.com.tr/idvex-gt6_m-nf/comet/signs/payment/notification/01/18/2019/en_us/document-needed|26|c=e1w7tozd_ovjcy60eqocwpbxreed-sijhlr8ktlmg4l_touxdneakc1gjguta8oma3d2uhrtbsuvdx22yxsherskbsbuq4rds1y1fhtlngilfi5ytc/"; http_uri; depth:241; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105878/; classtype:trojan-activity;sid:80968978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/atezsrmper2853602/rechnungs-details/hilfestellung/"; http_uri; depth:51; isdataat:!1,relative; content:"translampung.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105876/; classtype:trojan-activity;sid:80968976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/nmezpi6268550/rechnungskorrektur/rech/"; http_uri; depth:45; isdataat:!1,relative; content:"toddlerpops.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105875/; classtype:trojan-activity;sid:80968975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bn/wp-content/kwmw-wsoo_jydw-b2t/paymentstatus/en_en/277-20-468894-239-277-20-468894-861/"; http_uri; depth:90; isdataat:!1,relative; content:"mother-earth.net"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105874/; classtype:trojan-activity;sid:80968974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/xlxpdrqboe9525605/bestellungen/rechnungszahlung/"; http_uri; depth:52; isdataat:!1,relative; content:"gazenap.ru"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105873/; classtype:trojan-activity;sid:80968973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xxhkfsjt2382648/rechnungskorrektur/zahlungserinnerung/"; http_uri; depth:55; isdataat:!1,relative; content:"cumbrehambrecero.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105872/; classtype:trojan-activity;sid:80968972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zaqo-qb5_tjxk-pl/h96/invoicing/en_en/past-due-invoices/"; http_uri; depth:56; isdataat:!1,relative; content:"agentfox.io"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105870/; classtype:trojan-activity;sid:80968970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zlvkejwe/vlibz-0f_dvvldjusy-3da/ach/paymentinfo/us_us/invoice-for-n/n-01/18/2019/"; http_uri; depth:82; isdataat:!1,relative; content:"cardealersforbadcredit.net"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105871/; classtype:trojan-activity;sid:80968971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mp7mhva_1xvx_6tostw7/"; http_uri; depth:22; isdataat:!1,relative; content:"immo-en-israel.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105869/; classtype:trojan-activity;sid:80968969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rxqy-topx_bkl-k1/invoice/8882088/en_en/need-to-send-the-attachment/"; http_uri; depth:68; isdataat:!1,relative; content:"hjsanders.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105868/; classtype:trojan-activity;sid:80968968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ppcr-rb_qsls-e4/ach/paymentadvice/en/past-due-invoices/"; http_uri; depth:56; isdataat:!1,relative; content:"dplogistics.com.pl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105867/; classtype:trojan-activity;sid:80968967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vtcv-vct0_ou-zjp/803067/surveyquestionsus/companies-invoice-09329127/"; http_uri; depth:70; isdataat:!1,relative; content:"forma-31.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105866/; classtype:trojan-activity;sid:80968966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/erqy-96sw_wh-hei/paymentstatus/us_us/invoices-attached/"; http_uri; depth:56; isdataat:!1,relative; content:"mandezik.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105865/; classtype:trojan-activity;sid:80968965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/aubwmmpmlx1acbzai5pmpk0anae_fl-jb5hb5jrupwjsvhoaz3bmvaulrd2g6p3gxkryyhk3tmq0nrckua3diya~~/"; http_uri; depth:91; isdataat:!1,relative; content:"url.emailprotection.link"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105864/; classtype:trojan-activity;sid:80968964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=u5te2xvqsumq5y90mzym5mxghp-2fqzruccby6ly5dmg396yzev1n8lwoinp95ul3kelajomb86hdotdzz6qiqqandvitbhlgi5ougu3ktbm8-3d_qt-2bjmiowruponhizbfr9hdl7hx1yjv-2be4m-2fxg7tunn-2frwhwqbskqhklwbmmfuucagrvb1drl9rn4bcjmlgqq1urder5wpeomv5dno-2b/"; http_uri; depth:239; isdataat:!1,relative; content:"u2922402.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105863/; classtype:trojan-activity;sid:80968963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=2xkp5mybjvisycvurmixzvywym-2be9ohwtciqqgmiq6uk5-2ft-2f0ofpa0y1-2fkoh-2bi7hxt-2fjv6nvk4lr9dok-2f3rywq-3d-3d_7xtddmhrjqiui4tzsjsp2gwvcs8-2bh04chp42t-2fiq6bwtd9-2fbs8vmneci2xbluns13ucktwarlpvvchujk17hr5x-2bodiqbm8uptdrbb49am6ot6/"; http_uri; depth:239; isdataat:!1,relative; content:"u2922402.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105861/; classtype:trojan-activity;sid:80968961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=bfmbsskhnv7cpcszgoijyadghim4unhl-2f8dk6mcte2naxuqstasfhrn3clkgnsc0fziwf5ktxjsby7dvudakzg-3d-3d_-2f2ke4d6zw-2fk3bcrbepdsznwsz5avyfoqjfgszypdjcu3anmg-2fssrqpojeb6umel27qt6sn-2bfpfejhfnvi9uqf3xov0scn0mugjvr1bd9dmhzi1nbxtzvzhliaj/"; http_uri; depth:239; isdataat:!1,relative; content:"u2922402.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105862/; classtype:trojan-activity;sid:80968962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"register.srru.ac.th"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105860/; classtype:trojan-activity;sid:80968960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/documents/01_19/"; http_uri; depth:24; isdataat:!1,relative; content:"wholehealthcrew.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105859/; classtype:trojan-activity;sid:80968959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/122018/"; http_uri; depth:18; isdataat:!1,relative; content:"suahoradeaprender.com.br"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105858/; classtype:trojan-activity;sid:80968958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payment_details/2019-01/"; http_uri; depth:25; isdataat:!1,relative; content:"lignumpolska.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105856/; classtype:trojan-activity;sid:80968956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=lqdaudk4fp2dcbvu1orajgodl7fwmqze24j7rp7v-2fs1-2bfsvkxmzzyu4g15cwu53zuym9xsmv4axkfut-2frg6pfg-3d-3d_dzdmncppqs0rwqj1xuc5dwxmqelvm0vmvwfu5aisreimmco4fj6uvicricvmecxsqbp4-2b8zulrev7hlgb5-2fla1egex0h885xwsvqa3t1djxtfqrfersz-2b1zbvjhzh/"; http_uri; depth:244; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105857/; classtype:trojan-activity;sid:80968957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/201812/"; http_uri; depth:20; isdataat:!1,relative; content:"jongewolf.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105855/; classtype:trojan-activity;sid:80968955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/messages/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"irsoradio.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105854/; classtype:trojan-activity;sid:80968954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"idgnet.nl"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105853/; classtype:trojan-activity;sid:80968953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/01_19/"; http_uri; depth:25; isdataat:!1,relative; content:"belovedmotherof13.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105852/; classtype:trojan-activity;sid:80968952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/phds2az/"; http_uri; depth:9; isdataat:!1,relative; content:"bh-mehregan.org"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105851/; classtype:trojan-activity;sid:80968951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"121.177.239.68"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105850/; classtype:trojan-activity;sid:80968950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"109.205.143.207"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105849/; classtype:trojan-activity;sid:80968949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"flycourierservice.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105846/; classtype:trojan-activity;sid:80968946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mesmerize/languages/wp-content/themes/mesmerize/languages/sserv.jpg"; http_uri; depth:86; isdataat:!1,relative; content:"molministries.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105847/; classtype:trojan-activity;sid:80968947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mesmerize/woocommerce/checkout/wp-content/themes/mesmerize/woocommerce/checkout/sserv.jpg"; http_uri; depth:108; isdataat:!1,relative; content:"molministries.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105848/; classtype:trojan-activity;sid:80968948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mesmerize/page-templates/wp-content/themes/mesmerize/page-templates/sserv.jpg"; http_uri; depth:96; isdataat:!1,relative; content:"molministries.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105845/; classtype:trojan-activity;sid:80968945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmp/sserv.jpg"; http_uri; depth:14; isdataat:!1,relative; content:"targettrustcompany.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105844/; classtype:trojan-activity;sid:80968944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mesmerize/inc/general-options/sserv.jpg"; http_uri; depth:58; isdataat:!1,relative; content:"molministries.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105843/; classtype:trojan-activity;sid:80968943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/oceanwp/woocommerce/cart/ssj.jpg"; http_uri; depth:51; isdataat:!1,relative; content:"rabhomes.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105842/; classtype:trojan-activity;sid:80968942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/journal/cache/sserv.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"m.ttentionenergy.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105841/; classtype:trojan-activity;sid:80968941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/forum/cache/sserv.jpg"; http_uri; depth:22; isdataat:!1,relative; content:"privatpolicy.ttentionenergy.com"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105840/; classtype:trojan-activity;sid:80968940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mesmerize/languages/sserv.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"molministries.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105839/; classtype:trojan-activity;sid:80968939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mesmerize/page-templates/sserv.jpg"; http_uri; depth:53; isdataat:!1,relative; content:"molministries.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105838/; classtype:trojan-activity;sid:80968938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/template-parts/footer/sserv.jpg"; http_uri; depth:66; isdataat:!1,relative; content:"dtprocure.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105837/; classtype:trojan-activity;sid:80968937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/cache/et/12/sserv.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"preorder.ttentionenergy.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105836/; classtype:trojan-activity;sid:80968936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/ai1wm-backups/sserv.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"destinyheightsnetwork.org"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105835/; classtype:trojan-activity;sid:80968935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-snapshots/tmp/sserv.jpg"; http_uri; depth:27; isdataat:!1,relative; content:"molministries.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105834/; classtype:trojan-activity;sid:80968934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/ssj.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"flycourierservice.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105833/; classtype:trojan-activity;sid:80968933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wodisangshilinju3.exe"; http_uri; depth:22; isdataat:!1,relative; content:"dx93.downyouxi.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105832/; classtype:trojan-activity;sid:80968932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wodisangshilinju3.exe"; http_uri; depth:22; isdataat:!1,relative; content:"wt92.downyouxi.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105831/; classtype:trojan-activity;sid:80968931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/sserv.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"flycourierservice.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105830/; classtype:trojan-activity;sid:80968930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/sserv.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"shop.ttentionenergy.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105829/; classtype:trojan-activity;sid:80968929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/ewww/sserv.jpg"; http_uri; depth:26; isdataat:!1,relative; content:"surearmllc.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105828/; classtype:trojan-activity;sid:80968928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/soundcloud-shortcode/4.exe"; http_uri; depth:46; isdataat:!1,relative; content:"sight-admissions.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105827/; classtype:trojan-activity;sid:80968927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mesmerize/woocommerce/checkout/sserv.jpg"; http_uri; depth:59; isdataat:!1,relative; content:"molministries.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105826/; classtype:trojan-activity;sid:80968926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zhiyongsanguo2zhongwenban.exe"; http_uri; depth:30; isdataat:!1,relative; content:"wt91.downyouxi.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105825/; classtype:trojan-activity;sid:80968925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/sserv.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"preorder.ttentionenergy.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105824/; classtype:trojan-activity;sid:80968924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yiwtq-itd_eumu-vl/comet/signs/payment/notification/01/19/2019/en_us/overdue-payment/"; http_uri; depth:85; isdataat:!1,relative; content:"nouslesentrepreneurs.fr"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105822/; classtype:trojan-activity;sid:80968922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/0y8o_v1p0las/"; http_uri; depth:14; isdataat:!1,relative; content:"vendermicasaenbarcelona.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105823/; classtype:trojan-activity;sid:80968923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vmyb-ht_jaqo-gi/inv/99401forpo/20673114777/us/outstanding-invoices/"; http_uri; depth:68; isdataat:!1,relative; content:"sskymedia.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105821/; classtype:trojan-activity;sid:80968921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/riplns6/information/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"mail.learntoberich.vn"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105820/; classtype:trojan-activity;sid:80968920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dwsx5bwe/"; http_uri; depth:10; isdataat:!1,relative; content:"vincopoker.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105819/; classtype:trojan-activity;sid:80968919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pjuupfw/amazon/payment_details/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"bootaly.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105818/; classtype:trojan-activity;sid:80968918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/2019-01/"; http_uri; depth:17; isdataat:!1,relative; content:"modaphamya.asertiva.cl"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105817/; classtype:trojan-activity;sid:80968917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"faternegar.ir"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105816/; classtype:trojan-activity;sid:80968916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"tnr-vietnam.net"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105815/; classtype:trojan-activity;sid:80968915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payment_details/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"milimetrikistanbul.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105814/; classtype:trojan-activity;sid:80968914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/012019/"; http_uri; depth:16; isdataat:!1,relative; content:"leviathan.rs"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105813/; classtype:trojan-activity;sid:80968913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tag_old/wp-includes/js/clients_information/2019-01/"; http_uri; depth:52; isdataat:!1,relative; content:"www.tag.ir"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105812/; classtype:trojan-activity;sid:80968912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=bipawjqs3h-2fqnxmrpriczooweishlfk7sxzg5z2qe37dnibtla0jzsbug2xmvqd03zbcz5gdkhjc1xooftyoaw-3d-3d_twqmej3feavn74dcoznyly3spqsa8kjt1trujf8v8ygovjf2h0-2bssvduiak72lwi3yism5ulubrmrsdhie-2f3l2xgi4gvncfttq-2bdxtwclrl4ubtekfnewamiaabgwz13lwcvivof-2b7sxjx-2fhpe2-2bgjdsfr7wlrpkoooapsftoashmxf-2bgp-2fywezeeoxej-2fc9eytgu5wqwlfdscw5brq56q-3d-3d/"; http_uri; depth:347; isdataat:!1,relative; content:"u2922402.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105811/; classtype:trojan-activity;sid:80968911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arrglssi454x_jewff6w4igtu6x_qbzcafvvpl3tzbtztnrrtr5ogrlndxdld4ei8ja2pnbd9p8nut0p5cqikog~~/"; http_uri; depth:91; isdataat:!1,relative; content:"url.emailprotection.link"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105810/; classtype:trojan-activity;sid:80968910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"vacationletting.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105809/; classtype:trojan-activity;sid:80968909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_transactions/2019-01/"; http_uri; depth:30; isdataat:!1,relative; content:"med.siam.edu"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105808/; classtype:trojan-activity;sid:80968908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_transactions/2019-01/"; http_uri; depth:30; isdataat:!1,relative; content:"samix-num.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105807/; classtype:trojan-activity;sid:80968907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"fieldscollege.co.za"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105806/; classtype:trojan-activity;sid:80968906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/01_19/"; http_uri; depth:24; isdataat:!1,relative; content:"paradiseguests.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105805/; classtype:trojan-activity;sid:80968905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"sasecuritygroup.com.br"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105804/; classtype:trojan-activity;sid:80968904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payment_details/01_19/"; http_uri; depth:23; isdataat:!1,relative; content:"partycloud.nl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105803/; classtype:trojan-activity;sid:80968903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payment_details/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"smkn.co.id"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105802/; classtype:trojan-activity;sid:80968902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"sara-gadalka.com.kg"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105801/; classtype:trojan-activity;sid:80968901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"www.zonnestroomtilburg.nl"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105800/; classtype:trojan-activity;sid:80968900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"www.testandersonline.nl"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105799/; classtype:trojan-activity;sid:80968899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"digital.eudoratrading.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105798/; classtype:trojan-activity;sid:80968898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/2019-01/"; http_uri; depth:19; isdataat:!1,relative; content:"wimpiebarnard.co.za"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105797/; classtype:trojan-activity;sid:80968897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images2/payment_slip_pdf.scr"; http_uri; depth:29; isdataat:!1,relative; content:"readingtokids.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105796/; classtype:trojan-activity;sid:80968896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hn_hide/app.bin"; http_uri; depth:16; isdataat:!1,relative; content:"downfile2019.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105795/; classtype:trojan-activity;sid:80968895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"122.174.253.72"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105794/; classtype:trojan-activity;sid:80968894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"95.9.220.134"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105793/; classtype:trojan-activity;sid:80968893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"92.44.62.174"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105792/; classtype:trojan-activity;sid:80968892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"184.82.57.237"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105791/; classtype:trojan-activity;sid:80968891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dlmp-xu_olaiwmvn-li/invoice/63494/overpayment/us_us/invoice-corrections-for-22/75/"; http_uri; depth:83; isdataat:!1,relative; content:"apresearch.in"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105790/; classtype:trojan-activity;sid:80968890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kgpms-hyfze_nfegqoji-wv/en/open-past-due-orders/"; http_uri; depth:49; isdataat:!1,relative; content:"www.gtp.usgtf.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105789/; classtype:trojan-activity;sid:80968889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http%3a%2f%2fwww.emmanuelboos.info%2fyqlad-p5ij_na-5ef%2fref%2f9928911859en_en%2fnew-order|26|c=e1el5wqyqwuoa9exjj-hszfsatkpvelrczectmy3hcn-jgscdfoosmi9u1egpafp9a1xiypuraiq3nmt4emndtkfdoj57jj0uizgb5y_9jaju5dmmyzpa|26|typo=1/"; http_uri; depth:230; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105786/; classtype:trojan-activity;sid:80968886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://ar.caginerhastanesi.com.tr/idvex-gt6_m-nf/comet/signs/payment/notification/01/18/2019/en_us/document-needed|26|c=e1w7tozd_ovjcy60eqocwpbxreed-sijhlr8ktlmg4l_touxdneakc1gjguta8oma3d2uhrtbsuvdx22yxsherskbsbuq4rds1y1fhtlngilfi5ytcag|26|typo=1/"; http_uri; depth:253; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105787/; classtype:trojan-activity;sid:80968887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nqxxr-ym0c_ehmzsvjus-nu/ach/paymentadvice/en_en/invoice/"; http_uri; depth:57; isdataat:!1,relative; content:"souqaziz.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105788/; classtype:trojan-activity;sid:80968888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qwxvb-kle2_ieultle-an/invoice/56679571/us/overdue-payment/"; http_uri; depth:59; isdataat:!1,relative; content:"tanineahlebeyt.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105785/; classtype:trojan-activity;sid:80968885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iawo-dq_lapt-9nn/ach/paymentadvice/en_en/important-please-read/"; http_uri; depth:64; isdataat:!1,relative; content:"superpozyczki.pl"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105784/; classtype:trojan-activity;sid:80968884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mccs-vjo_zhvdph-aa/invoice/us_us/need-to-send-the-attachment/"; http_uri; depth:62; isdataat:!1,relative; content:"www.universalsmile.org"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105783/; classtype:trojan-activity;sid:80968883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/duyan-5ptf_yilyre-aj/c832/invoicing/us/open-past-due-orders/"; http_uri; depth:61; isdataat:!1,relative; content:"www.ubocapacitacion.cl"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105782/; classtype:trojan-activity;sid:80968882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yaiq-6wzwy_vcjn-wdr/ref/5409569504en/ach-form/"; http_uri; depth:47; isdataat:!1,relative; content:"www.pro-ind.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105781/; classtype:trojan-activity;sid:80968881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/twcpz-cp7p_kaa-xa/paymentstatus/en_us/ach-form/"; http_uri; depth:48; isdataat:!1,relative; content:"www.idgnet.nl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105780/; classtype:trojan-activity;sid:80968880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zrfmx-p3rd_l-li9/invoicecodechanges/en/service-invoice/"; http_uri; depth:56; isdataat:!1,relative; content:"www.fatma-bouchiha-psychologue.fr"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105779/; classtype:trojan-activity;sid:80968879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zqqp-wai_stenqmygw-hap/qb24/invoicing/us/service-invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"www.dsltech.co.uk"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105778/; classtype:trojan-activity;sid:80968878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wliup-lx_rf-04l/invoice/en/invoice-receipt/"; http_uri; depth:44; isdataat:!1,relative; content:"www.craigryan.eu"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105777/; classtype:trojan-activity;sid:80968877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ysfhc-un_qlqzxh-ssr/comet/signs/payment/notification/01/19/2019/us/paid-invoice-credit-card-receipt/"; http_uri; depth:101; isdataat:!1,relative; content:"www.array.com.ua"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105776/; classtype:trojan-activity;sid:80968876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lamdd-nom6_thbij-fy/invoices/6958/89166/us_us/need-to-send-the-attachment/"; http_uri; depth:75; isdataat:!1,relative; content:"vnxpress24h.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105775/; classtype:trojan-activity;sid:80968875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/oatlo-pe0bn_nsw-5n/invoice/en_us/invoices-attached/"; http_uri; depth:52; isdataat:!1,relative; content:"ucfoundation.online"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105774/; classtype:trojan-activity;sid:80968874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xsxj-rz_sime-fuu/invoice/74831/overpayment/en/paid-invoices/"; http_uri; depth:61; isdataat:!1,relative; content:"trottmyworld.ch"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105773/; classtype:trojan-activity;sid:80968873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ufknh-ddziz_aal-3w6/ext/paymentstatus/us/past-due-invoices/"; http_uri; depth:60; isdataat:!1,relative; content:"thesunavenuequan2.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105772/; classtype:trojan-activity;sid:80968872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urjhb-eiye9_crhcodsuj-l9/us/outstanding-invoices/"; http_uri; depth:50; isdataat:!1,relative; content:"sidelineking.xyz"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105771/; classtype:trojan-activity;sid:80968871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wtmdy-zqzy_xqbf-yeo/ach/paymentinfo/us_us/past-due-invoice/"; http_uri; depth:60; isdataat:!1,relative; content:"shootinstars.in"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105770/; classtype:trojan-activity;sid:80968870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/flwe-3yxo_ttxlonhf-yi/ext/paymentstatus/us/companies-invoice-16854071/"; http_uri; depth:90; isdataat:!1,relative; content:"rozwijamy.biz"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105769/; classtype:trojan-activity;sid:80968869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zvmh-sx_erqn-tp/z31/invoicing/en/invoice-for-you/"; http_uri; depth:50; isdataat:!1,relative; content:"quentinberra.fr"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105768/; classtype:trojan-activity;sid:80968868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/etszq-ci_aglrkgmk-alc/ext/paymentstatus/us_us/open-invoices/"; http_uri; depth:61; isdataat:!1,relative; content:"qigong-gironde.fr"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105767/; classtype:trojan-activity;sid:80968867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yikcl-er5cf_dkj-je/us_us/overdue-payment/"; http_uri; depth:42; isdataat:!1,relative; content:"pmcorporation.fr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105766/; classtype:trojan-activity;sid:80968866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/livgv-lu8b_sgsumh-wj/invoice/9613/overpayment/us/past-due-invoices/"; http_uri; depth:68; isdataat:!1,relative; content:"mroffers.co.ke"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105765/; classtype:trojan-activity;sid:80968865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wxib-vab1n_kqt-1yf/ext/paymentstatus/us/invoice/"; http_uri; depth:49; isdataat:!1,relative; content:"migoshen.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105764/; classtype:trojan-activity;sid:80968864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bxjvt-w11j_epflug-iuq/ach/paymentadvice/us_us/invoice-for-l/b-01/19/2019/"; http_uri; depth:74; isdataat:!1,relative; content:"lespetitsloupsmaraichers.fr"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105763/; classtype:trojan-activity;sid:80968863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lismr-g8_sgbq-nlq/invoices/60259/12719/us/invoice-59553663/"; http_uri; depth:60; isdataat:!1,relative; content:"lamppm.asertiva.cl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105762/; classtype:trojan-activity;sid:80968862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/oaxps-8flnn_swv-po/en_en/companies-invoice-5251735/"; http_uri; depth:52; isdataat:!1,relative; content:"joinerycity.co.uk"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105761/; classtype:trojan-activity;sid:80968861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rhmhw-fcles_fmf-z82/154512/surveyquestionsus/scan/"; http_uri; depth:51; isdataat:!1,relative; content:"fce-transport.nl"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105760/; classtype:trojan-activity;sid:80968860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/adfy-lh_vhblqqxme-qga/invoice/6802/overpayment/en_en/open-past-due-orders/"; http_uri; depth:75; isdataat:!1,relative; content:"evaviet.net"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105759/; classtype:trojan-activity;sid:80968859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xubb-ingv_l-gj8/invoice/0576/overpayment/us/paid-invoice-credit-card-receipt/"; http_uri; depth:78; isdataat:!1,relative; content:"ero4790k.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105758/; classtype:trojan-activity;sid:80968858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/edhfd-gq_aiwqwukk-cph/invoicecodechanges/en_en/paid-invoice/"; http_uri; depth:61; isdataat:!1,relative; content:"distinctiveblog.ir"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105757/; classtype:trojan-activity;sid:80968857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hwscx-czve_fm-xe/ref/16789462en_us/invoice-2239940-january/"; http_uri; depth:60; isdataat:!1,relative; content:"cms.berichtvoorjou.nl"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105756/; classtype:trojan-activity;sid:80968856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lzvtt-qdffm_bu-zqp/ach/paymentinfo/us_us/question/"; http_uri; depth:51; isdataat:!1,relative; content:"blogg.postvaxel.se"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105755/; classtype:trojan-activity;sid:80968855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tlmmm-npq_jjkmwes-bzj/ach/paymentadvice/en_en/service-report-3588/"; http_uri; depth:67; isdataat:!1,relative; content:"batdongsanbamien24h.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105754/; classtype:trojan-activity;sid:80968854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kokmx-ddrbm_bnsfv-8z/invoice/us/invoice-for-u/a-01/19/2019/"; http_uri; depth:60; isdataat:!1,relative; content:"andrewsalmon.co.uk"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105753/; classtype:trojan-activity;sid:80968853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"187.62.179.28"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105752/; classtype:trojan-activity;sid:80968852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ltliq-dqq_up-ejj/ach/paymentadvice/us_us/invoice-receipt/"; http_uri; depth:58; isdataat:!1,relative; content:"westland-onderhoud.nl"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105751/; classtype:trojan-activity;sid:80968851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/information/2019-01/"; http_uri; depth:30; isdataat:!1,relative; content:"xn--pekys-iya.lt"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105750/; classtype:trojan-activity;sid:80968850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/201812/"; http_uri; depth:19; isdataat:!1,relative; content:"www.xn----8sbef8axpew9i.xn--p1ai"; http_host; depth:32; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105749/; classtype:trojan-activity;sid:80968849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=lqdaudk4fp2dcbvu1orajgodl7fwmqze24j7rp7v-2fs1-2bfsvkxmzzyu4g15cwu53zuym9xsmv4axkfut-2frg6pfg-3d-3d_dzdmncppqs0rwqj1xuc5dwxmqelvm0vmvwfu5aisreimmco4fj6uvicricvmecxsqbp4-2b8zulrev7hlgb5-2fla1egex0h885xwsvqa3t1djxtfqrfersz-2b1zbvjhzhw7dqzoiail-2bwhbad70nyppjczhlgydpfl27msjjz-2bw8fgmi0yjc9xyxtnjwaap3itel96e-2beogdaniy68rieprpjserpow-2bvuwfayibsn8-2f8im-3d/"; http_uri; depth:367; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105748/; classtype:trojan-activity;sid:80968848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/2019-01/"; http_uri; depth:26; isdataat:!1,relative; content:"sedhu.uy"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105747/; classtype:trojan-activity;sid:80968847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/2019-01/"; http_uri; depth:17; isdataat:!1,relative; content:"cbsr.com.pk"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105746/; classtype:trojan-activity;sid:80968846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/messages/2019-01/"; http_uri; depth:18; isdataat:!1,relative; content:"borsh.site"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105745/; classtype:trojan-activity;sid:80968845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/transactions/2019-01/"; http_uri; depth:34; isdataat:!1,relative; content:"amitisazma.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105744/; classtype:trojan-activity;sid:80968844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"yhhhczdy.cf"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105743/; classtype:trojan-activity;sid:80968843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/dez2018/"; http_uri; depth:20; isdataat:!1,relative; content:"marisel.com.ua"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105742/; classtype:trojan-activity;sid:80968842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/01_19/"; http_uri; depth:35; isdataat:!1,relative; content:"bobin-head.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105741/; classtype:trojan-activity;sid:80968841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a6vdsptgs_vnryygmj_by6bs0ltjpqsktopuniiffxnn9_c6z29mhpxuyuonghfw7hdpbxyx5qvymuewh5mwbkg~~/"; http_uri; depth:91; isdataat:!1,relative; content:"url.emailprotection.link"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105740/; classtype:trojan-activity;sid:80968840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"poly.rise-up.nsk.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105739/; classtype:trojan-activity;sid:80968839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"kantova.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105738/; classtype:trojan-activity;sid:80968838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://etsj.futminna.edu.ng/details/01_19|26|c=e10ezrhjvrjhfkoepmmduw-w7mh2qbpwtp9otwhxxn4k3ousjbdnajoymejvgffohxeyjooy3r82nibjnwodzv0ljwqsgx97sark6v5ormwjgrq-uffpqpc_xh|26|typo=1/"; http_uri; depth:186; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105737/; classtype:trojan-activity;sid:80968837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rgqkmu8i/"; http_uri; depth:10; isdataat:!1,relative; content:"prakritikkrishi.org"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105736/; classtype:trojan-activity;sid:80968836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/zbylzi6s/"; http_uri; depth:22; isdataat:!1,relative; content:"www.kheiriehsalehin.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105735/; classtype:trojan-activity;sid:80968835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/phds2az/"; http_uri; depth:9; isdataat:!1,relative; content:"www.bh-mehregan.org"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105734/; classtype:trojan-activity;sid:80968834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fsdvowy/"; http_uri; depth:9; isdataat:!1,relative; content:"shantiniketangranthalay.technoexam.com"; http_host; depth:38; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105733/; classtype:trojan-activity;sid:80968833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dwsx5bwe/"; http_uri; depth:10; isdataat:!1,relative; content:"www.vincopoker.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105732/; classtype:trojan-activity;sid:80968832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iqdmlvvk5515424/information/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"truongland.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105731/; classtype:trojan-activity;sid:80968831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_transactions/01_19/"; http_uri; depth:28; isdataat:!1,relative; content:"tingera.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105730/; classtype:trojan-activity;sid:80968830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/122018/"; http_uri; depth:19; isdataat:!1,relative; content:"thelivingstonfamily.net"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105729/; classtype:trojan-activity;sid:80968829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"sevenempreenda.com.br"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105728/; classtype:trojan-activity;sid:80968828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/2018/"; http_uri; depth:15; isdataat:!1,relative; content:"saintjohnscba.com.ar"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105727/; classtype:trojan-activity;sid:80968827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x5gsrus/clients_messages/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"maytinhdau.vn"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105726/; classtype:trojan-activity;sid:80968826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/012019/"; http_uri; depth:16; isdataat:!1,relative; content:"zonnestroomtilburg.nl"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105725/; classtype:trojan-activity;sid:80968825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"queensaccessories.co.za"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105724/; classtype:trojan-activity;sid:80968824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"goldengateschool.in"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105723/; classtype:trojan-activity;sid:80968823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/jf0bdeb_lnqt6dkq"; http_uri; depth:26; isdataat:!1,relative; content:"hartarizkigraha.co.id"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105722/; classtype:trojan-activity;sid:80968822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pjjcudu8kn/"; http_uri; depth:12; isdataat:!1,relative; content:"reparaties-ipad.nl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105721/; classtype:trojan-activity;sid:80968821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/0y8o_v1p0las"; http_uri; depth:13; isdataat:!1,relative; content:"vendermicasaenbarcelona.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105720/; classtype:trojan-activity;sid:80968820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"petersatherley.live"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105719/; classtype:trojan-activity;sid:80968819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/2018/"; http_uri; depth:18; isdataat:!1,relative; content:"ipeople.vn"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105718/; classtype:trojan-activity;sid:80968818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"franklincovey.co.ke"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105717/; classtype:trojan-activity;sid:80968817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/2019-01/"; http_uri; depth:19; isdataat:!1,relative; content:"storyonmymind.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105716/; classtype:trojan-activity;sid:80968816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/2019-01/"; http_uri; depth:22; isdataat:!1,relative; content:"www.kortinakomarno.sk"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105715/; classtype:trojan-activity;sid:80968815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payment_details/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"qeducacional.com.br"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105714/; classtype:trojan-activity;sid:80968814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"esculturaemjoia.vjvarga.com.br"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105713/; classtype:trojan-activity;sid:80968813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docs/amazon/transactions/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"quahandmade.org"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105712/; classtype:trojan-activity;sid:80968812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"mail.queensaccessories.co.za"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105711/; classtype:trojan-activity;sid:80968811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payment_details/2019-01/"; http_uri; depth:25; isdataat:!1,relative; content:"www.sobrancelhascassiana.com.br"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105710/; classtype:trojan-activity;sid:80968810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/012019/"; http_uri; depth:21; isdataat:!1,relative; content:"wall309.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105709/; classtype:trojan-activity;sid:80968809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"oculista.com.br"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105708/; classtype:trojan-activity;sid:80968808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://etsj.futminna.edu.ng/details/01_19|26|c=e,1,0ezrhjvrjhfkoepmmduw-w7mh2qbpwtp9otwhxxn4k3ousjbdnajoymejvgffohxeyjooy3r82nibjnwodzv0ljwqsgx97sark6v5ormwjgrq-uffpqpc_xh|26|typo=1/"; http_uri; depth:188; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105707/; classtype:trojan-activity;sid:80968807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/clients_transactions/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"lmrcaorgukdy.cf"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105706/; classtype:trojan-activity;sid:80968806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"rapport-de-stage-tevai-sallaberry.fr"; http_host; depth:36; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105704/; classtype:trojan-activity;sid:80968804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=u5te2xvqsumq5y90mzym5mxghp-2fqzruccby6ly5dmg396yzev1n8lwoinp95ul3kelajomb86hdotdzz6qiqqandvitbhlgi5ougu3ktbm8-3d_qt-2bjmiowruponhizbfr9hdl7hx1yjv-2be4m-2fxg7tunn-2frwhwqbskqhklwbmmfuucagrvb1drl9rn4bcjmlgqq1urder5wpeomv5dno-2bsz-2bouvtxdiids22eywdrtb52i1-2bhpmz3q37u27s-2fyqazzpvtxz6t0ulhff-2flisdq5pvgr7jmztpb20jwtaqosdfu5akik86i3fl-2bmugneyqrg45xtxlrtxbd3fdthwoye7vm4-3d/"; http_uri; depth:385; isdataat:!1,relative; content:"u2922402.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105705/; classtype:trojan-activity;sid:80968805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/messages/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"fornalhadoabencoado.com.br"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105703/; classtype:trojan-activity;sid:80968803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=bfmbsskhnv7cpcszgoijyadghim4unhl-2f8dk6mcte2naxuqstasfhrn3clkgnsc0fziwf5ktxjsby7dvudakzg-3d-3d_-2f2ke4d6zw-2fk3bcrbepdsznwsz5avyfoqjfgszypdjcu3anmg-2fssrqpojeb6umel27qt6sn-2bfpfejhfnvi9uqf3xov0scn0mugjvr1bd9dmhzi1nbxtzvzhliajymotx3cemkwplbsfx3-2fhrb9lu6ztgjxbwzv4-2fg0vdqrf1jkm2q2wrscoktu6ithzcyslxubs2w2oxx2nrpgqh3bqogxqabufwocw30yt1fla-2ffz0m-3d/"; http_uri; depth:361; isdataat:!1,relative; content:"u2922402.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105702/; classtype:trojan-activity;sid:80968802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"register.srru.ac.th"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105701/; classtype:trojan-activity;sid:80968801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"themanorcentralparknguyenxien.net"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105700/; classtype:trojan-activity;sid:80968800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"kamlab.fr"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105699/; classtype:trojan-activity;sid:80968799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/2019-01/"; http_uri; depth:22; isdataat:!1,relative; content:"souqaziz.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105698/; classtype:trojan-activity;sid:80968798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/012019/"; http_uri; depth:25; isdataat:!1,relative; content:"sofrehgard.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105697/; classtype:trojan-activity;sid:80968797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"hiswillfuneralhome.co.za"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105696/; classtype:trojan-activity;sid:80968796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"ashleymrc.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105695/; classtype:trojan-activity;sid:80968795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/01_19/"; http_uri; depth:20; isdataat:!1,relative; content:"ria.krasnorechie.org"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105694/; classtype:trojan-activity;sid:80968794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/clients_information/01_19/"; http_uri; depth:38; isdataat:!1,relative; content:"songlinhtran.vn"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105693/; classtype:trojan-activity;sid:80968793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"jcpersonaliza.com.br"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105692/; classtype:trojan-activity;sid:80968792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/skmwj-rjnwq_yerwtq-k00/comet/signs/payment/notification/01/18/2019/us/question/"; http_uri; depth:80; isdataat:!1,relative; content:"wtede.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105691/; classtype:trojan-activity;sid:80968791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xzxl-rbe_itzbybxt-p8g/paymentstatus/en_us/471-01-466452-809-471-01-466452-917/"; http_uri; depth:79; isdataat:!1,relative; content:"vndaily.site"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105690/; classtype:trojan-activity;sid:80968790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gxqkz-xm_dqrxpuu-zb3/invoices/5524/5747/en_us/invoice-93042534-january/"; http_uri; depth:72; isdataat:!1,relative; content:"realgen-webdesign.nl"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105689/; classtype:trojan-activity;sid:80968789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgi-bin/rqyil-ip_ytdewof-yyc/inv/803038forpo/6442295196/us_us/paid-invoice-credit-card-receipt/"; http_uri; depth:96; isdataat:!1,relative; content:"appliancestalk.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105688/; classtype:trojan-activity;sid:80968788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kbcg0oh0_rnnj4tltq_k/"; http_uri; depth:22; isdataat:!1,relative; content:"thanhlapdoanhnghiephnh.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105687/; classtype:trojan-activity;sid:80968787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d4rm_eugj/"; http_uri; depth:11; isdataat:!1,relative; content:"afordioretails.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105686/; classtype:trojan-activity;sid:80968786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/9z7_mfl011/"; http_uri; depth:23; isdataat:!1,relative; content:"salecar2.muasam360.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105685/; classtype:trojan-activity;sid:80968785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xmy9mfv1_pdqsd/"; http_uri; depth:16; isdataat:!1,relative; content:"panlierhu.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105684/; classtype:trojan-activity;sid:80968784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/e24sv6_38ihrh_nvyqny/"; http_uri; depth:22; isdataat:!1,relative; content:"salah.mobiilat.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105683/; classtype:trojan-activity;sid:80968783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"193.151.91.163"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105682/; classtype:trojan-activity;sid:80968782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"106.105.197.111"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105681/; classtype:trojan-activity;sid:80968781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http%3a%2f%2fwww.emmanuelboos.info%2fyqlad-p5ij_na-5ef%2fref%2f9928911859en_en%2fnew-order|26|c=e,1,el5wqyqwuoa9exjj-hszfsatkpvelrczectmy3hcn-jgscdfoosmi9u1egpafp9a1xiypuraiq3nmt4emndtkfdoj57jj0uizgb5y_9jaju5dmmyzpa,|26|typo=1/"; http_uri; depth:233; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105680/; classtype:trojan-activity;sid:80968780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cbex-jj_ynmrs-xfi/invoice/910581862/en_us/past-due-invoices/"; http_uri; depth:61; isdataat:!1,relative; content:"www.windailygh.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105679/; classtype:trojan-activity;sid:80968779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cpzf-pg7f_xiogp-l3n/comet/signs/payment/notification/01/18/2019/us_us/paid-invoice/"; http_uri; depth:84; isdataat:!1,relative; content:"www.southafricanvenousforum.co.za"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105678/; classtype:trojan-activity;sid:80968778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miue-u3yoh_wtpd-g3/204943/surveyquestionsen_en/scan/"; http_uri; depth:53; isdataat:!1,relative; content:"www.skyrim-gow.fr"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105677/; classtype:trojan-activity;sid:80968777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nfssn-qp_wtsxvlgb-nyu/paymentstatus/en/new-order/"; http_uri; depth:50; isdataat:!1,relative; content:"www.pwpami.pl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105676/; classtype:trojan-activity;sid:80968776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dhkb-7q_eqpwxllr-x2/ref/2723472224us_us/ach-form/"; http_uri; depth:50; isdataat:!1,relative; content:"www.ljfpajpdy.cf"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105675/; classtype:trojan-activity;sid:80968775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ofara-og_h-omh/600387/surveyquestionsen_en/important-please-read/"; http_uri; depth:66; isdataat:!1,relative; content:"www.lexfort.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105674/; classtype:trojan-activity;sid:80968774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ctca-8m_kfnrfqbku-dqi/invoice/8751108/us_us/open-invoices/"; http_uri; depth:59; isdataat:!1,relative; content:"www.housesittingreference.com"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105673/; classtype:trojan-activity;sid:80968773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/aall-70_ifwirwpbw-ns/ext/paymentstatus/en_us/document-needed/"; http_uri; depth:62; isdataat:!1,relative; content:"www.grantkulinar.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105672/; classtype:trojan-activity;sid:80968772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/galjp-ra_noqrx-s0i/invoicecodechanges/us_us/need-to-send-the-attachment/"; http_uri; depth:73; isdataat:!1,relative; content:"www.glazastiks.ru"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105671/; classtype:trojan-activity;sid:80968771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yqlad-p5ij_na-5ef/ref/9928911859en_en/new-order/"; http_uri; depth:49; isdataat:!1,relative; content:"www.emmanuelboos.info"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105670/; classtype:trojan-activity;sid:80968770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gyoz-ckpq_j-tev/invoicecodechanges/us_us/invoices-attached/"; http_uri; depth:60; isdataat:!1,relative; content:"www.abmtrust.org"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105669/; classtype:trojan-activity;sid:80968769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zzplc-mclaf_zsrrmdt-4hr/paymentstatus/us/sales-invoice/"; http_uri; depth:56; isdataat:!1,relative; content:"welovecreative.co.nz"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105668/; classtype:trojan-activity;sid:80968768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/exwp-ying_dqbpzia-ip/inv/474605forpo/382136162612/en_us/invoice-0002914/"; http_uri; depth:73; isdataat:!1,relative; content:"webview.bvibus.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105667/; classtype:trojan-activity;sid:80968767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bmdqb-egm_ltziemyw-tg/inv/75370forpo/8323587825/en/sales-invoice/"; http_uri; depth:66; isdataat:!1,relative; content:"tommie.tlpdesignstudios.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105666/; classtype:trojan-activity;sid:80968766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sxrzg-xh5_sh-dc/invoices/7595/8458/us_us/service-report-0593/"; http_uri; depth:62; isdataat:!1,relative; content:"titheringtons.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105665/; classtype:trojan-activity;sid:80968765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fzww-sxtp_g-vv/ach/paymentinfo/en_en/past-due-invoices/"; http_uri; depth:56; isdataat:!1,relative; content:"suglafish.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105664/; classtype:trojan-activity;sid:80968764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmp/nvbj-lo_mkwf-iva/invoice/5181591/us_us/outstanding-invoices/"; http_uri; depth:65; isdataat:!1,relative; content:"stats.www.giancarlopuppo.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105663/; classtype:trojan-activity;sid:80968763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rkijm-zc_cbzyocabk-e5/en_us/invoice-57753072-january/"; http_uri; depth:54; isdataat:!1,relative; content:"spcoretraining.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105662/; classtype:trojan-activity;sid:80968762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jvfqy-vqs_fctwbvz-fsr/invoice/63259968/en_en/invoice-20415544/"; http_uri; depth:63; isdataat:!1,relative; content:"southpacificawaits.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105661/; classtype:trojan-activity;sid:80968761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/omdzp-3ii_s-kz/paymentstatus/en_us/scan/"; http_uri; depth:41; isdataat:!1,relative; content:"southernthatch.co.za"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105660/; classtype:trojan-activity;sid:80968760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/whxs-b1td_aedwhsrhg-fjh/invoices/4313/7912/en_us/956-19-758612-186-956-19-758612-699/"; http_uri; depth:86; isdataat:!1,relative; content:"smsold401.smsold.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105659/; classtype:trojan-activity;sid:80968759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bcnp-iazwr_eodxmtixo-lz/southwire/hzd87624096/en/ach-form/"; http_uri; depth:59; isdataat:!1,relative; content:"smsin.site"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105658/; classtype:trojan-activity;sid:80968758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gsaa-7qq6x_thrcvgz-3v/ext/paymentstatus/us_us/invoice-1322320/"; http_uri; depth:63; isdataat:!1,relative; content:"shop.avn.parts"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105657/; classtype:trojan-activity;sid:80968757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rdpum-d3ai_jgixobg-jdo/ach/paymentadvice/en_en/invoice/"; http_uri; depth:56; isdataat:!1,relative; content:"shafanikan.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105656/; classtype:trojan-activity;sid:80968756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dnee-mv9_cwhirbs-ui/invoice/en_us/invoice-receipt/"; http_uri; depth:51; isdataat:!1,relative; content:"sgtsrl.it"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105655/; classtype:trojan-activity;sid:80968755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xhyib-q8nva_tyfqmfj-vz1/0039425/surveyquestionsus/invoice-2027925-january/"; http_uri; depth:75; isdataat:!1,relative; content:"sanmarengenharia.com.br"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105654/; classtype:trojan-activity;sid:80968754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zwxt-na3tk_bisz-p0/ext/paymentstatus/en_en/paid-invoice-credit-card-receipt/"; http_uri; depth:77; isdataat:!1,relative; content:"revistarevival.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105653/; classtype:trojan-activity;sid:80968753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ciplc-3g_uixod-ukh/invoice/18742280/us_us/invoice-for-x/k-01/18/2019/"; http_uri; depth:70; isdataat:!1,relative; content:"redwing.com.eg"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105652/; classtype:trojan-activity;sid:80968752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bgbms-5w_bdp-aj0/comet/signs/payment/notification/01/18/2019/en_en/past-due-invoice/"; http_uri; depth:85; isdataat:!1,relative; content:"rccgregion15juniorchurch.org"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105651/; classtype:trojan-activity;sid:80968751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bqshe-ko_yxfudv-fs/ref/740935652en/outstanding-invoices/"; http_uri; depth:57; isdataat:!1,relative; content:"petparents.com.br"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105650/; classtype:trojan-activity;sid:80968750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/evtay-g1_kjjamq-jj/invoice/us_us/invoice-receipt/"; http_uri; depth:50; isdataat:!1,relative; content:"pe-co.nl"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105649/; classtype:trojan-activity;sid:80968749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vpht-jn2_eohiytjyr-dm/invoicecodechanges/en/past-due-invoices/"; http_uri; depth:63; isdataat:!1,relative; content:"offblack.de"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105648/; classtype:trojan-activity;sid:80968748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/larsa-lkx_mq-vd/ref/817226888en_en/invoice-receipt/"; http_uri; depth:52; isdataat:!1,relative; content:"oceangate.parkhomes.vn"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105647/; classtype:trojan-activity;sid:80968747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hshvt-nbqb_e-vd/15150/surveyquestionsen/open-invoices/"; http_uri; depth:55; isdataat:!1,relative; content:"northernpost.in"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105646/; classtype:trojan-activity;sid:80968746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lplb-pwlai_rsround-om/83053/surveyquestionsen_en/past-due-invoices/"; http_uri; depth:68; isdataat:!1,relative; content:"nhakhoavieta.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105645/; classtype:trojan-activity;sid:80968745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gvuu-u3_brgnf-ln/10753/surveyquestionsen/invoice-corrections-for-87/47/"; http_uri; depth:72; isdataat:!1,relative; content:"msobrasciviles.cl"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105644/; classtype:trojan-activity;sid:80968744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/klnnj-pe_nj-9i/comet/signs/payment/notification/01/18/2019/en_us/475-03-845602-783-475-03-845602-522/"; http_uri; depth:102; isdataat:!1,relative; content:"mail.buligbugto.org"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105643/; classtype:trojan-activity;sid:80968743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dmaaq-1xjxi_lxst-vx/en/service-report-1340/"; http_uri; depth:44; isdataat:!1,relative; content:"ktml.org"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105642/; classtype:trojan-activity;sid:80968742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jxbo-bzb_cqo-h0t/invoicecodechanges/en_us/question/"; http_uri; depth:52; isdataat:!1,relative; content:"johnnycrap.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105641/; classtype:trojan-activity;sid:80968741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ywxfz-nr0_vxhr-te/southwire/xub8632375051/us_us/outstanding-invoices/"; http_uri; depth:70; isdataat:!1,relative; content:"fidesconstantia.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105640/; classtype:trojan-activity;sid:80968740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pkvv-eae_bskiso-1xn/invoicecodechanges/us/past-due-invoices/"; http_uri; depth:61; isdataat:!1,relative; content:"creditorgroup.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105639/; classtype:trojan-activity;sid:80968739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qbdoi-cikb_lochwke-yq/inv/9791369forpo/9496030558/us/past-due-invoice/"; http_uri; depth:71; isdataat:!1,relative; content:"clinicainnovate.com.br"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105638/; classtype:trojan-activity;sid:80968738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mpaw-yl_gux-d2g/ach/paymentinfo/us_us/inv-81204-po-7d336498/"; http_uri; depth:61; isdataat:!1,relative; content:"clarisse-hervouet.fr"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105637/; classtype:trojan-activity;sid:80968737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ptczf-scq3f_w-jja/us/outstanding-invoices/"; http_uri; depth:43; isdataat:!1,relative; content:"butgoviet.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105636/; classtype:trojan-activity;sid:80968736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ixofr-ofpu_o-ome/inv/210081forpo/31065215734/en_us/outstanding-invoices/"; http_uri; depth:73; isdataat:!1,relative; content:"ayumi.ishiura.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105635/; classtype:trojan-activity;sid:80968735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kdflk-ucdj_iyawjc-dja/paymentstatus/en_us/inv-30408-po-9t735477/"; http_uri; depth:65; isdataat:!1,relative; content:"astra-empress.com.ve"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105634/; classtype:trojan-activity;sid:80968734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gsxf-o0_ldfhym-3m/invoice/89540320/en_us/overdue-payment/"; http_uri; depth:58; isdataat:!1,relative; content:"aryahospitalksh.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105633/; classtype:trojan-activity;sid:80968733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_transactions/01_19/"; http_uri; depth:28; isdataat:!1,relative; content:"robbedinbarcelona.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105632/; classtype:trojan-activity;sid:80968732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/535542098124865566/535567927596810240/n3tfl1x_reaper.exe"; http_uri; depth:69; isdataat:!1,relative; content:"cdn.discordapp.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105631/; classtype:trojan-activity;sid:80968731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/spoofer/loop.exe"; http_uri; depth:17; isdataat:!1,relative; content:"darkksource.x10.mx"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105630/; classtype:trojan-activity;sid:80968730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/spoofer/hdd.exe"; http_uri; depth:16; isdataat:!1,relative; content:"darkksource.x10.mx"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105629/; classtype:trojan-activity;sid:80968729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/spoofer/spoofer.exe"; http_uri; depth:20; isdataat:!1,relative; content:"darkksource.x10.mx"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105628/; classtype:trojan-activity;sid:80968728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105627/; classtype:trojan-activity;sid:80968727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105626/; classtype:trojan-activity;sid:80968726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105625/; classtype:trojan-activity;sid:80968725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105624/; classtype:trojan-activity;sid:80968724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105623/; classtype:trojan-activity;sid:80968723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105622/; classtype:trojan-activity;sid:80968722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105621/; classtype:trojan-activity;sid:80968721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105620/; classtype:trojan-activity;sid:80968720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105619/; classtype:trojan-activity;sid:80968719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105618/; classtype:trojan-activity;sid:80968718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105617/; classtype:trojan-activity;sid:80968717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"142.93.145.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105616/; classtype:trojan-activity;sid:80968716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/spoofer/delete.exe"; http_uri; depth:19; isdataat:!1,relative; content:"darkksource.x10.mx"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105615/; classtype:trojan-activity;sid:80968715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/spoofer/ip.exe"; http_uri; depth:15; isdataat:!1,relative; content:"darkksource.x10.mx"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105614/; classtype:trojan-activity;sid:80968714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/2019-01/"; http_uri; depth:22; isdataat:!1,relative; content:"leodruker.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105613/; classtype:trojan-activity;sid:80968713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/2019-01/"; http_uri; depth:17; isdataat:!1,relative; content:"lrprealestate.vi-bus.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105612/; classtype:trojan-activity;sid:80968712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/012019/"; http_uri; depth:21; isdataat:!1,relative; content:"tabouwadvies.nl"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105611/; classtype:trojan-activity;sid:80968711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pjjcudu8kn/"; http_uri; depth:12; isdataat:!1,relative; content:"www.reparaties-ipad.nl"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105610/; classtype:trojan-activity;sid:80968710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tvyt071w/"; http_uri; depth:10; isdataat:!1,relative; content:"mireikee.beget.tech"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105609/; classtype:trojan-activity;sid:80968709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ixbx0er/"; http_uri; depth:9; isdataat:!1,relative; content:"ulco.tv"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105608/; classtype:trojan-activity;sid:80968708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mvmgkkcly/"; http_uri; depth:11; isdataat:!1,relative; content:"lakewoods.net"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105607/; classtype:trojan-activity;sid:80968707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/alezfte/"; http_uri; depth:9; isdataat:!1,relative; content:"kids-education-support.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105606/; classtype:trojan-activity;sid:80968706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uyni_0f7r_6febhv4/"; http_uri; depth:19; isdataat:!1,relative; content:"jameshunt.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105605/; classtype:trojan-activity;sid:80968705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yllp_iccoee_xxf/"; http_uri; depth:17; isdataat:!1,relative; content:"deccanmarket.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105604/; classtype:trojan-activity;sid:80968704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/r0fhwv3_kerq_jnf/"; http_uri; depth:18; isdataat:!1,relative; content:"ballimspharmacy.co.za"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105603/; classtype:trojan-activity;sid:80968703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/0y8o_v1p0las/"; http_uri; depth:14; isdataat:!1,relative; content:"www.vendermicasaenbarcelona.com"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105602/; classtype:trojan-activity;sid:80968702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rzh5u_ftnlcm_reje59/"; http_uri; depth:21; isdataat:!1,relative; content:"horoscoposbrasil.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105601/; classtype:trojan-activity;sid:80968701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mnbnf-gv_mei-l6/invoicecodechanges/us/open-past-due-orders/"; http_uri; depth:60; isdataat:!1,relative; content:"aconiaformation.fr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105600/; classtype:trojan-activity;sid:80968700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://ar.caginerhastanesi.com.tr/idvex-gt6_m-nf/comet/signs/payment/notification/01/18/2019/en_us/document-needed|26|c=e,1,w7tozd_ovjcy60eqocwpbxreed-sijhlr8ktlmg4l_touxdneakc1gjguta8oma3d2uhrtbsuvdx22yxsherskbsbuq4rds1y1fhtlngilfi5ytcag,,|26|typo=1/"; http_uri; depth:257; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105599/; classtype:trojan-activity;sid:80968699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lciz-cdaa_ntykml-u6/ach/paymentinfo/en/companies-invoice-22804841/"; http_uri; depth:67; isdataat:!1,relative; content:"xn--j1aclp1d.in.ua"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105598/; classtype:trojan-activity;sid:80968698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ibehu-5nl_kp-qhj/ach/paymentinfo/us/sales-invoice/"; http_uri; depth:51; isdataat:!1,relative; content:"www.nancycheng.nl"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105597/; classtype:trojan-activity;sid:80968697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ldcpo-zosg_u-pon/ach/paymentinfo/en/823-33-487455-436-823-33-487455-583/"; http_uri; depth:73; isdataat:!1,relative; content:"directsnel.nl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105596/; classtype:trojan-activity;sid:80968696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/blnt-jm_ze-6s8/inv/94637forpo/87108004660/en_en/invoice-11235207/"; http_uri; depth:66; isdataat:!1,relative; content:"gtp.usgtf.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105595/; classtype:trojan-activity;sid:80968695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hjpsb-qff_vwhyikyes-aln/inv/90912forpo/649150722404/en/important-please-read/"; http_uri; depth:78; isdataat:!1,relative; content:"3.dohodtut.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105594/; classtype:trojan-activity;sid:80968694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/url=http://www.scanliftmaskin.no/payb-jux36_anodsid-pqi/inv/82509032526/us_us/open-invoices|26|data=02|01|sid.turner@4tpe.com|7165dc024b574f66f5e208d67d529159|4e1664c3a8334f479037c634a1fd7c4a|0|0|636834190926125604|26|sdata=tg9rbegubarnv87srh2xahjbpvcvhczf7nq3umwz0ty=|26|reserved=0/"; http_uri; depth:284; isdataat:!1,relative; content:"na01.safelinks.protection.outlook.com"; http_host; depth:37; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105593/; classtype:trojan-activity;sid:80968693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/nmezpi6268550/rechnungskorrektur/rech/"; http_uri; depth:45; isdataat:!1,relative; content:"www.toddlerpops.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105592/; classtype:trojan-activity;sid:80968692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/csrrq-ln1_so-fdc/southwire/psv1376627014/us/paid-invoice-credit-card-receipt/"; http_uri; depth:78; isdataat:!1,relative; content:"aramanfood.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105591/; classtype:trojan-activity;sid:80968691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zlvkejwe/vlibz-0f_dvvldjusy-3da/ach/paymentinfo/us_us/invoice-for-n/n-01/18/2019/"; http_uri; depth:82; isdataat:!1,relative; content:"cardealersforbadcredit.net"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105590/; classtype:trojan-activity;sid:80968690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tetzo-llaio_dalan-mk/comet/signs/payment/notification/01/16/2019/en_en/invoice-number-00051/"; http_uri; depth:93; isdataat:!1,relative; content:"northernpost.in"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105589/; classtype:trojan-activity;sid:80968689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jipws-pqk_jdvz-irf/dl712/invoicing/en/outstanding-invoices/"; http_uri; depth:60; isdataat:!1,relative; content:"www.taizer.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105588/; classtype:trojan-activity;sid:80968688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/2019-01/"; http_uri; depth:34; isdataat:!1,relative; content:"nghiataman.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105587/; classtype:trojan-activity;sid:80968687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/122018/"; http_uri; depth:19; isdataat:!1,relative; content:"fatmike.net"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105586/; classtype:trojan-activity;sid:80968686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/012019/"; http_uri; depth:26; isdataat:!1,relative; content:"k.iepedacitodecielo.edu.co"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105585/; classtype:trojan-activity;sid:80968685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_transactions/01_19/"; http_uri; depth:28; isdataat:!1,relative; content:"xn--80apaabfhzk7a5ck.xn--p1ai"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105584/; classtype:trojan-activity;sid:80968684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/payments/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"bem.hukum.ub.ac.id"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105583/; classtype:trojan-activity;sid:80968683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"remont-okon.tomsk.ru"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105582/; classtype:trojan-activity;sid:80968682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/messages/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"www.irsoradio.nl"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105581/; classtype:trojan-activity;sid:80968681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"ybsedudy.cf"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105580/; classtype:trojan-activity;sid:80968680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"kromtour.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105579/; classtype:trojan-activity;sid:80968679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/includes/information/01_19/"; http_uri; depth:37; isdataat:!1,relative; content:"ykpsvczdy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105578/; classtype:trojan-activity;sid:80968678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/details/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"amerigau.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105577/; classtype:trojan-activity;sid:80968677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"dhgl.vn"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105576/; classtype:trojan-activity;sid:80968676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/2019-01/"; http_uri; depth:26; isdataat:!1,relative; content:"pinimazor.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105575/; classtype:trojan-activity;sid:80968675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/blog/upload/amazon/orders_details/2019-01/"; http_uri; depth:43; isdataat:!1,relative; content:"askhenry.co.uk"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105574/; classtype:trojan-activity;sid:80968674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"www.dr-ahmedelhusseiny.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105573/; classtype:trojan-activity;sid:80968673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/attachments/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"demo.jrkcompany.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105572/; classtype:trojan-activity;sid:80968672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"anthinhland.onlinenhadat.net"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105571/; classtype:trojan-activity;sid:80968671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_transactions/2019-01/"; http_uri; depth:30; isdataat:!1,relative; content:"blueberryshop.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105570/; classtype:trojan-activity;sid:80968670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"89.144.174.153"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105569/; classtype:trojan-activity;sid:80968669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"46.130.127.210"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105568/; classtype:trojan-activity;sid:80968668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/transaction_details/012019/"; http_uri; depth:37; isdataat:!1,relative; content:"ylimody.cf"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105567/; classtype:trojan-activity;sid:80968667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"xn--80aealqgfg1azg.xn--p1ai"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105566/; classtype:trojan-activity;sid:80968666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/01_19/"; http_uri; depth:20; isdataat:!1,relative; content:"www.wholehealthcrew.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105565/; classtype:trojan-activity;sid:80968665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"viralvidespro.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105564/; classtype:trojan-activity;sid:80968664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/2019-01/"; http_uri; depth:17; isdataat:!1,relative; content:"universobolao.com.br"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105563/; classtype:trojan-activity;sid:80968663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_transactions/01_19/"; http_uri; depth:28; isdataat:!1,relative; content:"njeas.futminna.edu.ng"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105562/; classtype:trojan-activity;sid:80968662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/012019/"; http_uri; depth:25; isdataat:!1,relative; content:"nigeriafasbmbcongress.futminna.edu.ng"; http_host; depth:37; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105561/; classtype:trojan-activity;sid:80968661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"etsj.futminna.edu.ng"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105560/; classtype:trojan-activity;sid:80968660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/ssj.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"laflamme-heli.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105559/; classtype:trojan-activity;sid:80968659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/n/tui/ciqinmishi/6/cqms.exe"; http_uri; depth:28; isdataat:!1,relative; content:"bundle.kpzip.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105558/; classtype:trojan-activity;sid:80968658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modgv-bcf_tfaky-kob/comet/signs/payment/notification/01/18/2019/us/invoice/"; http_uri; depth:76; isdataat:!1,relative; content:"zamena-schetchikov.novosibirsk.ru"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105557/; classtype:trojan-activity;sid:80968657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eoflp-usnc_dxbraldx-9x/qc85/invoicing/en/invoice-for-you/"; http_uri; depth:58; isdataat:!1,relative; content:"yxcsdy.cf"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105556/; classtype:trojan-activity;sid:80968656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dldwk-qmkxa_zkvbmnqxx-4z/comet/signs/payment/notification/01/18/2019/us_us/inv-272991-po-4o608402/"; http_uri; depth:99; isdataat:!1,relative; content:"yserechdy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105555/; classtype:trojan-activity;sid:80968655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kglp-2zo0_q-frg/invoice/41749/overpayment/us/overdue-payment/"; http_uri; depth:62; isdataat:!1,relative; content:"www.web.pa-cirebon.go.id"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105554/; classtype:trojan-activity;sid:80968654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/syaq-kbwsd_ze-irz/invoices/4353/55382/us_us/invoice-receipt/"; http_uri; depth:61; isdataat:!1,relative; content:"samet-celik.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105553/; classtype:trojan-activity;sid:80968653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jipb-dzix_xvbwnwnjg-kn/ext/paymentstatus/en/new-order/"; http_uri; depth:55; isdataat:!1,relative; content:"mandalafest.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105552/; classtype:trojan-activity;sid:80968652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/wayqm-zld_fxwsjkau-o7h/inv/47127forpo/44322944468/us/280-30-169584-494-280-30-169584-161/"; http_uri; depth:99; isdataat:!1,relative; content:"lstasshdy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105551/; classtype:trojan-activity;sid:80968651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bnwtv-qgbs_p-hh/invoice/us/inv-981974-po-2l436830/"; http_uri; depth:51; isdataat:!1,relative; content:"linkingphase.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105550/; classtype:trojan-activity;sid:80968650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bkzx-mcwz_qbr-mr/invoices/53832/6396/us/invoice-number-53760/"; http_uri; depth:62; isdataat:!1,relative; content:"fira.org.za"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105549/; classtype:trojan-activity;sid:80968649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gbpq-vq9q_nriu-ab/invoice/2786267/en_us/paid-invoice-credit-card-receipt/"; http_uri; depth:74; isdataat:!1,relative; content:"erolatak.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105548/; classtype:trojan-activity;sid:80968648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ljqup-adxy_umhckutc-pbm/invoice/175472286/us/inv-85999-po-9d432791/"; http_uri; depth:68; isdataat:!1,relative; content:"cbrrbdy.gq"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105547/; classtype:trojan-activity;sid:80968647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pplp-inl_hbhwhvi-ed/comet/signs/payment/notification/01/18/2019/en/open-past-due-orders/"; http_uri; depth:89; isdataat:!1,relative; content:"authenticrooftiles.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105546/; classtype:trojan-activity;sid:80968646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cqnc-rfli_zdfncujoo-cr/paymentstatus/en_en/overdue-payment/"; http_uri; depth:60; isdataat:!1,relative; content:"atashneda.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105545/; classtype:trojan-activity;sid:80968645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/idvex-gt6_m-nf/comet/signs/payment/notification/01/18/2019/en_us/document-needed/"; http_uri; depth:82; isdataat:!1,relative; content:"ar.caginerhastanesi.com.tr"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105544/; classtype:trojan-activity;sid:80968644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gacl/admin/templates_c/rlew-ec_npghkhclk-vc/invoice/en/paid-invoice-credit-card-receipt/"; http_uri; depth:89; isdataat:!1,relative; content:"64.69.83.43"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105543/; classtype:trojan-activity;sid:80968643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/sserv.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"laflamme-heli.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105542/; classtype:trojan-activity;sid:80968642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/ssj.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"laflamme-heli.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105541/; classtype:trojan-activity;sid:80968641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/blog/cache/sserv.jpg"; http_uri; depth:21; isdataat:!1,relative; content:"awbghana.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105540/; classtype:trojan-activity;sid:80968640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/podcast/sserv.jpg"; http_uri; depth:18; isdataat:!1,relative; content:"www.brainchildmultimediagroup.com"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105539/; classtype:trojan-activity;sid:80968639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sserv.jpg"; http_uri; depth:10; isdataat:!1,relative; content:"bambangindarto.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105538/; classtype:trojan-activity;sid:80968638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/sserv.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"aristodiyeti.com.tr"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105537/; classtype:trojan-activity;sid:80968637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.i686"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105536/; classtype:trojan-activity;sid:80968636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.spc"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105535/; classtype:trojan-activity;sid:80968635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/aazd-zyaem_kqtf-3c/paymentstatus/us/invoices-attached/"; http_uri; depth:55; isdataat:!1,relative; content:"ycykudy.cf"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105534/; classtype:trojan-activity;sid:80968634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/igptt-vms4_cygspezm-dco/invoices/17130/8920/en_us/outstanding-invoices/"; http_uri; depth:72; isdataat:!1,relative; content:"yaheedudy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105533/; classtype:trojan-activity;sid:80968633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ipius-0o_rq-vgp/ach/paymentadvice/en_us/invoice-corrections-for-81/84/"; http_uri; depth:71; isdataat:!1,relative; content:"xn--k1afw.net"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105532/; classtype:trojan-activity;sid:80968632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iixf-ov_kqv-nk/inv/00968forpo/134610688014/en_us/outstanding-invoices/"; http_uri; depth:71; isdataat:!1,relative; content:"www.wins-power.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105531/; classtype:trojan-activity;sid:80968631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zaqo-qb5_tjxk-pl/h96/invoicing/en_en/past-due-invoices/"; http_uri; depth:56; isdataat:!1,relative; content:"www.agentfox.io"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105530/; classtype:trojan-activity;sid:80968630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntygh-3u_n-wh/ref/302484694us_us/important-please-read/"; http_uri; depth:56; isdataat:!1,relative; content:"waggrouponline.org"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105529/; classtype:trojan-activity;sid:80968629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ypeg-tmw7x_jzwvioxrf-gb1/en_us/paid-invoice/"; http_uri; depth:45; isdataat:!1,relative; content:"sos-debouchage-dumeny.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105528/; classtype:trojan-activity;sid:80968628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ekgos-mz5_kfbzg-ylp/15643/surveyquestionsen_en/past-due-invoices/"; http_uri; depth:66; isdataat:!1,relative; content:"sofathugian.vn"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105527/; classtype:trojan-activity;sid:80968627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/daaz-ecdn_mgqfftak-pn5/628367/surveyquestionsus_us/7-past-due-invoices/"; http_uri; depth:72; isdataat:!1,relative; content:"milan-light.savel.ru"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105526/; classtype:trojan-activity;sid:80968626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tzjc-ocoxp_rppnyl-j0v/invoice/us/important-please-read/"; http_uri; depth:56; isdataat:!1,relative; content:"kosolve.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105525/; classtype:trojan-activity;sid:80968625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nksot-qwry_zro-wft/invoice/01535830/en_us/invoice-for-you/"; http_uri; depth:59; isdataat:!1,relative; content:"hopeswithin.org"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105524/; classtype:trojan-activity;sid:80968624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qxafy-or_pzw-lt/invoice/10270/overpayment/us_us/document-needed/"; http_uri; depth:65; isdataat:!1,relative; content:"drapart.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105523/; classtype:trojan-activity;sid:80968623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fgsg-cix8_te-iq/invoice/en_en/important-please-read/"; http_uri; depth:53; isdataat:!1,relative; content:"demo.gtcticket.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105522/; classtype:trojan-activity;sid:80968622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/vfdtd-kw_e-bx/invoice/584235869/us/past-due-invoices/"; http_uri; depth:65; isdataat:!1,relative; content:"constructiis3.ro"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105521/; classtype:trojan-activity;sid:80968621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eawg-lm_ewdvqz-jy/invoice/983945882/en_us/invoice-corrections-for-66/89/"; http_uri; depth:73; isdataat:!1,relative; content:"chzhfdy.gq"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105520/; classtype:trojan-activity;sid:80968620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"tritonwoodworkers.org.au"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105519/; classtype:trojan-activity;sid:80968619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/attachments/01_19/"; http_uri; depth:28; isdataat:!1,relative; content:"talktowendyssurvey.us"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105518/; classtype:trojan-activity;sid:80968618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"rdweb.ir"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105517/; classtype:trojan-activity;sid:80968617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/clients_messages/01_19/"; http_uri; depth:33; isdataat:!1,relative; content:"lvajnczdy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105516/; classtype:trojan-activity;sid:80968616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payment_details/2019-01/"; http_uri; depth:25; isdataat:!1,relative; content:"liarla.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105515/; classtype:trojan-activity;sid:80968615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/2019-01/"; http_uri; depth:17; isdataat:!1,relative; content:"kcespolska.pl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105514/; classtype:trojan-activity;sid:80968614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/clients_transactions/2019-01/"; http_uri; depth:39; isdataat:!1,relative; content:"en.tag.ir"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105513/; classtype:trojan-activity;sid:80968613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/2019-01/"; http_uri; depth:22; isdataat:!1,relative; content:"dev.umasterov.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105512/; classtype:trojan-activity;sid:80968612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/012019/"; http_uri; depth:16; isdataat:!1,relative; content:"aeco.ir"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105511/; classtype:trojan-activity;sid:80968611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ggaul-ymv_ggng-ueu/invoice/9151000/us/open-past-due-orders"; http_uri; depth:59; isdataat:!1,relative; content:"saigonthinhvuong.net"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105510/; classtype:trojan-activity;sid:80968610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zpli-tpe1_llyktf-vh2/8671042/surveyquestionsen_en/outstanding-invoices"; http_uri; depth:71; isdataat:!1,relative; content:"yvsguchdy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105509/; classtype:trojan-activity;sid:80968609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/multimedia/clients_transactions/012019/"; http_uri; depth:40; isdataat:!1,relative; content:"realdesignn.ir"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105508/; classtype:trojan-activity;sid:80968608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cob93.exe"; http_uri; depth:10; isdataat:!1,relative; content:"aysemanay.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105507/; classtype:trojan-activity;sid:80968607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/thsy-17pgb_guw-a7k/southwire/arv6270493081/us/need-to-send-the-attachment/"; http_uri; depth:75; isdataat:!1,relative; content:"zidanmeubel.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105506/; classtype:trojan-activity;sid:80968606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zpli-tpe1_llyktf-vh2/8671042/surveyquestionsen_en/outstanding-invoices/"; http_uri; depth:72; isdataat:!1,relative; content:"yvsguchdy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105505/; classtype:trojan-activity;sid:80968605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/riog-zpf_dnhsawkok-ck/southwire/iwu3192710832/en_us/overdue-payment/"; http_uri; depth:69; isdataat:!1,relative; content:"xn--80aaxiih2a7cxd.xn--p1ai"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105504/; classtype:trojan-activity;sid:80968604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payb-jux36_anodsid-pqi/inv/82509032526/us_us/open-invoices/"; http_uri; depth:60; isdataat:!1,relative; content:"www.scanliftmaskin.no"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105503/; classtype:trojan-activity;sid:80968603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ymbff-to3_tbskhq-ynx/invoices/6314/89725/en_en/invoice/"; http_uri; depth:56; isdataat:!1,relative; content:"www.lapontelloise.fr"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105502/; classtype:trojan-activity;sid:80968602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vnaw-exxh8_wmtupx-d87/comet/signs/payment/notification/01/18/2019/en/invoice/"; http_uri; depth:78; isdataat:!1,relative; content:"sevensites.es"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105501/; classtype:trojan-activity;sid:80968601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ggaul-ymv_ggng-ueu/invoice/9151000/us/open-past-due-orders/"; http_uri; depth:60; isdataat:!1,relative; content:"saigonthinhvuong.net"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105500/; classtype:trojan-activity;sid:80968600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xrolz-j3rrk_dpwzja-j6k/comet/signs/payment/notification/01/18/2019/en_us/ach-form/"; http_uri; depth:83; isdataat:!1,relative; content:"pskovhelp.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105499/; classtype:trojan-activity;sid:80968599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hrrim-jla_yggpeuhe-fv/ach/paymentadvice/en/scan/"; http_uri; depth:49; isdataat:!1,relative; content:"noviatour.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105498/; classtype:trojan-activity;sid:80968598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xeogq-sngv_icr-ag/737263/surveyquestionsen/open-past-due-orders/"; http_uri; depth:65; isdataat:!1,relative; content:"mycv.fsm.undip.ac.id"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105497/; classtype:trojan-activity;sid:80968597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dyvja-hup_p-d4/ref/606083569us_us/document-needed/"; http_uri; depth:51; isdataat:!1,relative; content:"modern-autoparts.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105496/; classtype:trojan-activity;sid:80968596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dqwob-cpnl_nx-co/ref/7814649944en/service-report-00469/"; http_uri; depth:56; isdataat:!1,relative; content:"mahsew.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105495/; classtype:trojan-activity;sid:80968595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uuyze-xr51_dvnziwtp-tvs/ext/paymentstatus/us_us/7-past-due-invoices/"; http_uri; depth:69; isdataat:!1,relative; content:"leonardokubrick.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105494/; classtype:trojan-activity;sid:80968594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ponsx-py_yxmhjee-wq8/invoice/581627564/us_us/invoice-for-you/"; http_uri; depth:62; isdataat:!1,relative; content:"legalisir.fib.uns.ac.id"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105493/; classtype:trojan-activity;sid:80968593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rhgkf-vb_wj-g2/paymentstatus/us_us/service-report-2543/"; http_uri; depth:56; isdataat:!1,relative; content:"eirak.co"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105492/; classtype:trojan-activity;sid:80968592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brpv-oa_udqlw-r4/invoice/8076808/us/3-past-due-invoices/"; http_uri; depth:57; isdataat:!1,relative; content:"doctor.fpik.ub.ac.id"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105491/; classtype:trojan-activity;sid:80968591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/phxgc-hc_pqxbqefa-dd7/southwire/dfl3817991485/en/past-due-invoices/"; http_uri; depth:68; isdataat:!1,relative; content:"btcmining.fund"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105490/; classtype:trojan-activity;sid:80968590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xmxt-4z_mhisixupv-7oi/invoicecodechanges/en_us/4-past-due-invoices/"; http_uri; depth:68; isdataat:!1,relative; content:"arcencieltour.ma"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105489/; classtype:trojan-activity;sid:80968589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/122018/"; http_uri; depth:18; isdataat:!1,relative; content:"www.suahoradeaprender.com.br"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105488/; classtype:trojan-activity;sid:80968588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"www.oculista.com.br"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105487/; classtype:trojan-activity;sid:80968587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/122018/"; http_uri; depth:18; isdataat:!1,relative; content:"qwatmos.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105486/; classtype:trojan-activity;sid:80968586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/includes/information/01_19/"; http_uri; depth:37; isdataat:!1,relative; content:"ykpsvczdy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105485/; classtype:trojan-activity;sid:80968585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/u3l2amznme"; http_uri; depth:11; isdataat:!1,relative; content:"www.estab.org.tr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105484/; classtype:trojan-activity;sid:80968584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ckqat-ci5_emd-r8/en/invoice/"; http_uri; depth:29; isdataat:!1,relative; content:"loadtest.com.br"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105483/; classtype:trojan-activity;sid:80968583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/quqzf-puy5_ooqmyfn-m17/invoices/9917/2063/en_en/overdue-payment/"; http_uri; depth:65; isdataat:!1,relative; content:"lineupsports.me"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105482/; classtype:trojan-activity;sid:80968582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ckqat-ci5_emd-r8/en/invoice"; http_uri; depth:28; isdataat:!1,relative; content:"loadtest.com.br"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105481/; classtype:trojan-activity;sid:80968581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payment_details/01_19/"; http_uri; depth:23; isdataat:!1,relative; content:"justexam.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105480/; classtype:trojan-activity;sid:80968580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lowsk-di_nm-acu/southwire/swv2406069411/en_en/outstanding-invoices/"; http_uri; depth:68; isdataat:!1,relative; content:"lokanou.webinview.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105479/; classtype:trojan-activity;sid:80968579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ejeyv-hi_ijkufgv-rs/comet/signs/payment/notification/01/18/2019/us/ach-form/"; http_uri; depth:77; isdataat:!1,relative; content:"ytteedy.cf"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105478/; classtype:trojan-activity;sid:80968578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bklw-vzss_sgxbqut-bl/ach/paymentadvice/us_us/past-due-invoices/"; http_uri; depth:64; isdataat:!1,relative; content:"driveformiles.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105477/; classtype:trojan-activity;sid:80968577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"como-consulting.be"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105476/; classtype:trojan-activity;sid:80968576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/messages/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"cnjlxdy.gq"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105475/; classtype:trojan-activity;sid:80968575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fakep/netpanzfp.zip"; http_uri; depth:20; isdataat:!1,relative; content:"aluigi.org"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105474/; classtype:trojan-activity;sid:80968574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/poc/kailleraex.zip"; http_uri; depth:19; isdataat:!1,relative; content:"aluigi.org"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105473/; classtype:trojan-activity;sid:80968573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"poly.rise-up.nsk.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105472/; classtype:trojan-activity;sid:80968572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"diffenfabrics.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105471/; classtype:trojan-activity;sid:80968571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/thestory/css/ssj.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"toutenvecteur.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105470/; classtype:trojan-activity;sid:80968570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jhn/tony.exe"; http_uri; depth:13; isdataat:!1,relative; content:"23.249.161.100"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105469/; classtype:trojan-activity;sid:80968569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jhn/vbc.exe"; http_uri; depth:12; isdataat:!1,relative; content:"23.249.161.100"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105468/; classtype:trojan-activity;sid:80968568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/2019-01/"; http_uri; depth:17; isdataat:!1,relative; content:"www.sos-secretariat.be"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105467/; classtype:trojan-activity;sid:80968567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"thegablesofyorkcounty.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105466/; classtype:trojan-activity;sid:80968566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"morozan.it"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105465/; classtype:trojan-activity;sid:80968565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fugpc1p/documents/01_19/"; http_uri; depth:25; isdataat:!1,relative; content:"www.muzikgunlugu.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105464/; classtype:trojan-activity;sid:80968564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"web.muasam360.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105463/; classtype:trojan-activity;sid:80968563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86_64"; http_uri; depth:7; isdataat:!1,relative; content:"80.211.35.63"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105461/; classtype:trojan-activity;sid:80968561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm7"; http_uri; depth:5; isdataat:!1,relative; content:"80.211.35.63"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105459/; classtype:trojan-activity;sid:80968559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86_32"; http_uri; depth:7; isdataat:!1,relative; content:"80.211.35.63"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105460/; classtype:trojan-activity;sid:80968560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm"; http_uri; depth:4; isdataat:!1,relative; content:"80.211.35.63"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105458/; classtype:trojan-activity;sid:80968558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"80.211.35.63"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105457/; classtype:trojan-activity;sid:80968557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"80.211.35.63"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105456/; classtype:trojan-activity;sid:80968556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ipp/gen/gen/gen/phone.exe"; http_uri; depth:26; isdataat:!1,relative; content:"ip.skyzone.mn"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105455/; classtype:trojan-activity;sid:80968555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ipp/gen/gen/gen/gen/gen/phone.exe"; http_uri; depth:34; isdataat:!1,relative; content:"ip.skyzone.mn"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105454/; classtype:trojan-activity;sid:80968554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tegqi-3tid_opmegt-fh/invoicecodechanges/us/invoice-receipt/"; http_uri; depth:60; isdataat:!1,relative; content:"wawan.klikini.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105453/; classtype:trojan-activity;sid:80968553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/buex-jfb_vmfriu-xe/invoice/90736/overpayment/en_en/paid-invoice-credit-card-receipt/"; http_uri; depth:85; isdataat:!1,relative; content:"mspn.com.au"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105452/; classtype:trojan-activity;sid:80968552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/celhs-upjh_uarojm-hy/ach/paymentadvice/us_us/scan/"; http_uri; depth:51; isdataat:!1,relative; content:"mstudija.lt"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105451/; classtype:trojan-activity;sid:80968551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dlmp-xu_olaiwmvn-li/invoice/63494/overpayment/us_us/invoice-corrections-for-22/75/"; http_uri; depth:83; isdataat:!1,relative; content:"www.apresearch.in"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105450/; classtype:trojan-activity;sid:80968550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"edmthing.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105449/; classtype:trojan-activity;sid:80968549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/amazon/payments/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"runtah.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105448/; classtype:trojan-activity;sid:80968548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"belnagroup.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105447/; classtype:trojan-activity;sid:80968547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"symbisystems.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105446/; classtype:trojan-activity;sid:80968546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"ojoquesecasan.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105445/; classtype:trojan-activity;sid:80968545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"www.modern-autoparts.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105444/; classtype:trojan-activity;sid:80968544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"solovoyager.me"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105443/; classtype:trojan-activity;sid:80968543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/01_19/"; http_uri; depth:38; isdataat:!1,relative; content:"jaspinformatica.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105442/; classtype:trojan-activity;sid:80968542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/01_19/"; http_uri; depth:25; isdataat:!1,relative; content:"www.belovedmotherof13.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105441/; classtype:trojan-activity;sid:80968541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/201812/"; http_uri; depth:19; isdataat:!1,relative; content:"alfemimoda.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105440/; classtype:trojan-activity;sid:80968540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/122018/"; http_uri; depth:18; isdataat:!1,relative; content:"hjsanders.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105439/; classtype:trojan-activity;sid:80968539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/2018/"; http_uri; depth:18; isdataat:!1,relative; content:"hostelegant.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105438/; classtype:trojan-activity;sid:80968538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/dez2018/"; http_uri; depth:21; isdataat:!1,relative; content:"lagbag.it"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105437/; classtype:trojan-activity;sid:80968537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/dez2018/"; http_uri; depth:19; isdataat:!1,relative; content:"mayphatrasua.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105436/; classtype:trojan-activity;sid:80968536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/2018/"; http_uri; depth:17; isdataat:!1,relative; content:"mywebnerd.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105435/; classtype:trojan-activity;sid:80968535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/beez_20/transaktion/201812/"; http_uri; depth:38; isdataat:!1,relative; content:"newcanadianmedia.ca"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105434/; classtype:trojan-activity;sid:80968534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/122018/"; http_uri; depth:17; isdataat:!1,relative; content:"thomasmoreguildedmonton.ca"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105433/; classtype:trojan-activity;sid:80968533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/dez2018/"; http_uri; depth:20; isdataat:!1,relative; content:"regenerationcongo.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105432/; classtype:trojan-activity;sid:80968532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/dez2018/"; http_uri; depth:21; isdataat:!1,relative; content:"stoutarc.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105431/; classtype:trojan-activity;sid:80968531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/stories/virtuemart/product/resized/thumb_01/sserv.jpg"; http_uri; depth:61; isdataat:!1,relative; content:"xn--80abhfbusccenm1pyb.xn--p1ai"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105430/; classtype:trojan-activity;sid:80968530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/images/sserv.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"xn--80abhfbusccenm1pyb.xn--p1ai"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105429/; classtype:trojan-activity;sid:80968529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"88.249.115.118"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105428/; classtype:trojan-activity;sid:80968528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"220.89.79.46"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105427/; classtype:trojan-activity;sid:80968527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"201.43.15.50"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105426/; classtype:trojan-activity;sid:80968526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"125.254.53.45"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105425/; classtype:trojan-activity;sid:80968525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2.exe"; http_uri; depth:6; isdataat:!1,relative; content:"193.151.91.163"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105423/; classtype:trojan-activity;sid:80968523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k6jacgs_ukfd_apnei38i6/"; http_uri; depth:24; isdataat:!1,relative; content:"trend-studio.art"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105422/; classtype:trojan-activity;sid:80968522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1mxejc9_kssq7b/"; http_uri; depth:16; isdataat:!1,relative; content:"tasmatbaa.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105421/; classtype:trojan-activity;sid:80968521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/jf0bdeb_lnqt6dkq/"; http_uri; depth:27; isdataat:!1,relative; content:"hartarizkigraha.co.id"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105420/; classtype:trojan-activity;sid:80968520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/86rzn_wmf7ryq7f/"; http_uri; depth:17; isdataat:!1,relative; content:"nt-group.kz"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105419/; classtype:trojan-activity;sid:80968519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/22d_zgrv5ay_avvrf/"; http_uri; depth:19; isdataat:!1,relative; content:"mimiabner.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105418/; classtype:trojan-activity;sid:80968518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"jineplast.com.tr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105417/; classtype:trojan-activity;sid:80968517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/ssj.jp"; http_uri; depth:34; isdataat:!1,relative; content:"discounted-deal.website"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105416/; classtype:trojan-activity;sid:80968516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/images/ssj.jpg"; http_uri; depth:22; isdataat:!1,relative; content:"xn--80abhfbusccenm1pyb.xn--p1ai"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105415/; classtype:trojan-activity;sid:80968515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"denleddplighting.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105414/; classtype:trojan-activity;sid:80968514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/teo.jpg"; http_uri; depth:8; isdataat:!1,relative; content:"jineplast.com.tr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105413/; classtype:trojan-activity;sid:80968513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/s/e22j0gnwn63paa9/fattura-n.105-del-14-11-2018.zipdl=1"; http_uri; depth:55; isdataat:!1,relative; content:"www.dropbox.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105412/; classtype:trojan-activity;sid:80968512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/putty.exe"; http_uri; depth:10; isdataat:!1,relative; content:"bats.pw"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105411/; classtype:trojan-activity;sid:80968511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/atelier/css/font/sserv.jpg"; http_uri; depth:45; isdataat:!1,relative; content:"thenatureszest.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105410/; classtype:trojan-activity;sid:80968510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/sserv.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"cienmariposas.com.mx"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105409/; classtype:trojan-activity;sid:80968509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/atelier/css/font/ssj.jpg"; http_uri; depth:43; isdataat:!1,relative; content:"thenatureszest.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105408/; classtype:trojan-activity;sid:80968508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hkhe3fktc/"; http_uri; depth:11; isdataat:!1,relative; content:"atkcgnew.evgeni7e.beget.tech"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105407/; classtype:trojan-activity;sid:80968507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yzc2cjzano/"; http_uri; depth:12; isdataat:!1,relative; content:"kiot.coop"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105406/; classtype:trojan-activity;sid:80968506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rg1n590/"; http_uri; depth:9; isdataat:!1,relative; content:"innio.biz"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105405/; classtype:trojan-activity;sid:80968505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gwitwafu/"; http_uri; depth:10; isdataat:!1,relative; content:"stats.emalaya.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105404/; classtype:trojan-activity;sid:80968504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/huyu36qneq/"; http_uri; depth:12; isdataat:!1,relative; content:"greenplastic.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105403/; classtype:trojan-activity;sid:80968503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/dez2018/"; http_uri; depth:18; isdataat:!1,relative; content:"newwayit.vn"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105402/; classtype:trojan-activity;sid:80968502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/dez2018/"; http_uri; depth:21; isdataat:!1,relative; content:"district.vi-bus.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105401/; classtype:trojan-activity;sid:80968501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/rechnungen/dez2018/"; http_uri; depth:31; isdataat:!1,relative; content:"komsima.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105400/; classtype:trojan-activity;sid:80968500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/temp/mmanwu.exe"; http_uri; depth:16; isdataat:!1,relative; content:"flipagrom.ga"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105399/; classtype:trojan-activity;sid:80968499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/meta/ssj.jpg"; http_uri; depth:13; isdataat:!1,relative; content:"doithuong.info"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105398/; classtype:trojan-activity;sid:80968498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ssj.jpg"; http_uri; depth:8; isdataat:!1,relative; content:"ecochinc.xsrv.jp"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105397/; classtype:trojan-activity;sid:80968497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/atelier/template-parts/header/ssj.jpg"; http_uri; depth:56; isdataat:!1,relative; content:"thenatureszest.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105396/; classtype:trojan-activity;sid:80968496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/css/ssj.jpg"; http_uri; depth:12; isdataat:!1,relative; content:"lacava.com.ar"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105395/; classtype:trojan-activity;sid:80968495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/cache/et/2/ssj.jpg"; http_uri; depth:30; isdataat:!1,relative; content:"order.ttentionenergy.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105394/; classtype:trojan-activity;sid:80968494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/publisher/css/ssj.jpg"; http_uri; depth:40; isdataat:!1,relative; content:"balajisewasamiti.org"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105393/; classtype:trojan-activity;sid:80968493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"cienmariposas.com.mx"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105392/; classtype:trojan-activity;sid:80968492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/ai1wm-backups/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"skolastudium.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105391/; classtype:trojan-activity;sid:80968491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/forum/cache/hdd_recovery_tool.exe"; http_uri; depth:34; isdataat:!1,relative; content:"www.poignee2cigares.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105390/; classtype:trojan-activity;sid:80968490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/oceanwp/assets/css/edd/ssj.jpg"; http_uri; depth:49; isdataat:!1,relative; content:"ganapatihelp.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105389/; classtype:trojan-activity;sid:80968489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uri/grandsteal.client.app.exe"; http_uri; depth:30; isdataat:!1,relative; content:"ton-info.wiki"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105388/; classtype:trojan-activity;sid:80968488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payload.exe"; http_uri; depth:12; isdataat:!1,relative; content:"kristinka5.life"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105387/; classtype:trojan-activity;sid:80968487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/6fsgxhxskj.exe"; http_uri; depth:15; isdataat:!1,relative; content:"d1exe.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105386/; classtype:trojan-activity;sid:80968486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kkfcrw85hm.exe"; http_uri; depth:15; isdataat:!1,relative; content:"d1exe.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105385/; classtype:trojan-activity;sid:80968485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/feknoe.jpg"; http_uri; depth:17; isdataat:!1,relative; content:"idontknow.moe"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105384/; classtype:trojan-activity;sid:80968484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3dcc08izhv.exe"; http_uri; depth:15; isdataat:!1,relative; content:"d1exe.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105383/; classtype:trojan-activity;sid:80968483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/components/rechnungs/201812/"; http_uri; depth:29; isdataat:!1,relative; content:"sosh47.citycheb.ru"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105382/; classtype:trojan-activity;sid:80968482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/201812/"; http_uri; depth:19; isdataat:!1,relative; content:"web.pa-cirebon.go.id"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105381/; classtype:trojan-activity;sid:80968481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/2018/"; http_uri; depth:15; isdataat:!1,relative; content:"www.xn--d1albnc.xn--p1ai"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105380/; classtype:trojan-activity;sid:80968480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/2018/"; http_uri; depth:16; isdataat:!1,relative; content:"pramlee.com.my"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105379/; classtype:trojan-activity;sid:80968479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/2018/"; http_uri; depth:16; isdataat:!1,relative; content:"take12.nl"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105378/; classtype:trojan-activity;sid:80968478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/122018/"; http_uri; depth:17; isdataat:!1,relative; content:"suplemar.o11.pl"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105377/; classtype:trojan-activity;sid:80968477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/2018/"; http_uri; depth:16; isdataat:!1,relative; content:"shlifovka.by"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105376/; classtype:trojan-activity;sid:80968476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/2018/"; http_uri; depth:16; isdataat:!1,relative; content:"therxreview.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105375/; classtype:trojan-activity;sid:80968475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/2018/"; http_uri; depth:16; isdataat:!1,relative; content:"jongerenpit.nl"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105374/; classtype:trojan-activity;sid:80968474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/2018/"; http_uri; depth:18; isdataat:!1,relative; content:"otohondavungtau.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105373/; classtype:trojan-activity;sid:80968473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/teo.jpg"; http_uri; depth:8; isdataat:!1,relative; content:"ganapatihelp.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105372/; classtype:trojan-activity;sid:80968472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc732.zip"; http_uri; depth:11; isdataat:!1,relative; content:"www.jamdanicollection.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105371/; classtype:trojan-activity;sid:80968471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"73.159.230.89"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105370/; classtype:trojan-activity;sid:80968470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/sserv.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"bsmarin.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105369/; classtype:trojan-activity;sid:80968469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/sserv.jpg"; http_uri; depth:26; isdataat:!1,relative; content:"bsmarin.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105368/; classtype:trojan-activity;sid:80968468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/sserv.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"farukyilmaz.com.tr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105367/; classtype:trojan-activity;sid:80968467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/zinf.jpg"; http_uri; depth:38; isdataat:!1,relative; content:"farukyilmaz.com.tr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105366/; classtype:trojan-activity;sid:80968466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/sserv.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"digimacmobiles.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105365/; classtype:trojan-activity;sid:80968465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"bsmarin.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105364/; classtype:trojan-activity;sid:80968464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/ssj.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"farukyilmaz.com.tr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105363/; classtype:trojan-activity;sid:80968463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/ssj.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"digimacmobiles.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105362/; classtype:trojan-activity;sid:80968462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/the-seo/css/ssj.jpg"; http_uri; depth:38; isdataat:!1,relative; content:"markpreneur.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105361/; classtype:trojan-activity;sid:80968461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/airi/widgets/ssj.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"gemco-geo.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105360/; classtype:trojan-activity;sid:80968460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"allaroundwm.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105359/; classtype:trojan-activity;sid:80968459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/01_19"; http_uri; depth:33; isdataat:!1,relative; content:"rnexpress.ir"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105358/; classtype:trojan-activity;sid:80968458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/012019"; http_uri; depth:38; isdataat:!1,relative; content:"dplogistics.com.pl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105357/; classtype:trojan-activity;sid:80968457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/uttvbtorfth7mo06i8i0ltg9846dp1e6/1547798400000/11292720886455874376/*/11_dfdgdfb87740eqpd3pohyvdlb8ihwae=download"; http_uri; depth:161; isdataat:!1,relative; content:"doc-04-bo-docs.googleusercontent.com"; http_host; depth:36; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105356/; classtype:trojan-activity;sid:80968456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/available/feedback.eml"; http_uri; depth:23; isdataat:!1,relative; content:"tradingamulets.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105355/; classtype:trojan-activity;sid:80968455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ucexport=download|26|confirm=no_antivirus|26|id=11_dfdgdfb87740eqpd3pohyvdlb8ihwa"; http_uri; depth:82; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105354/; classtype:trojan-activity;sid:80968454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hand3.exe"; http_uri; depth:10; isdataat:!1,relative; content:"gulivero.club"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105353/; classtype:trojan-activity;sid:80968453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/hwyr6hm.jpg/download"; http_uri; depth:28; isdataat:!1,relative; content:"pasteboard.co"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105352/; classtype:trojan-activity;sid:80968452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hidaihfa"; http_uri; depth:9; isdataat:!1,relative; content:"www.boomertravelers.net"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105351/; classtype:trojan-activity;sid:80968451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.arm7"; http_uri; depth:21; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105350/; classtype:trojan-activity;sid:80968450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.arm5"; http_uri; depth:21; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105349/; classtype:trojan-activity;sid:80968449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.sh4"; http_uri; depth:20; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105348/; classtype:trojan-activity;sid:80968448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.m68k"; http_uri; depth:21; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105347/; classtype:trojan-activity;sid:80968447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.ppc"; http_uri; depth:20; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105346/; classtype:trojan-activity;sid:80968446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.arm6"; http_uri; depth:21; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105345/; classtype:trojan-activity;sid:80968445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.arm"; http_uri; depth:20; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105344/; classtype:trojan-activity;sid:80968444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.mips"; http_uri; depth:21; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105343/; classtype:trojan-activity;sid:80968443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/:u:/g/personal/robertw_romeosretail_com_au/equa73efxbhigojdjnvconkbkhkbwy0dbflsud-4vndhhwe=ggvhye|26|download=1"; http_uri; depth:112; isdataat:!1,relative; content:"romeosretail-my.sharepoint.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105341/; classtype:trojan-activity;sid:80968441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.m68k"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105340/; classtype:trojan-activity;sid:80968440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/all-business/tribe-events/day/sserv.jpg"; http_uri; depth:58; isdataat:!1,relative; content:"sidebartv.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105339/; classtype:trojan-activity;sid:80968439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.ppc"; http_uri; depth:15; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105338/; classtype:trojan-activity;sid:80968438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/all-business/js/sserv.jpg"; http_uri; depth:44; isdataat:!1,relative; content:"sidebartv.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105337/; classtype:trojan-activity;sid:80968437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.sh4"; http_uri; depth:15; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105336/; classtype:trojan-activity;sid:80968436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/shop/2.exe"; http_uri; depth:11; isdataat:!1,relative; content:"wind0wsactivator.host"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105335/; classtype:trojan-activity;sid:80968435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/shop/3.exe"; http_uri; depth:11; isdataat:!1,relative; content:"wind0wsactivator.host"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105334/; classtype:trojan-activity;sid:80968434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/shop/1.exe"; http_uri; depth:11; isdataat:!1,relative; content:"wind0wsactivator.host"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105333/; classtype:trojan-activity;sid:80968433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kelesu/english/zeya.exe"; http_uri; depth:24; isdataat:!1,relative; content:"kitroomstore.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105332/; classtype:trojan-activity;sid:80968432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/bins/turbo.x86"; http_uri; depth:20; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105331/; classtype:trojan-activity;sid:80968431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ksmk1701/ksmk1701.exe"; http_uri; depth:22; isdataat:!1,relative; content:"www.fribola.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105330/; classtype:trojan-activity;sid:80968430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qvzhhxf/"; http_uri; depth:9; isdataat:!1,relative; content:"antidisciplinary.org"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105329/; classtype:trojan-activity;sid:80968429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zzo90kh/"; http_uri; depth:9; isdataat:!1,relative; content:"uttechsystem.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105328/; classtype:trojan-activity;sid:80968428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xtv5cglcz2/"; http_uri; depth:12; isdataat:!1,relative; content:"livingdivineprinciple.org"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105327/; classtype:trojan-activity;sid:80968427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/c1cpwolkhv/"; http_uri; depth:12; isdataat:!1,relative; content:"demos.technoexam.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105326/; classtype:trojan-activity;sid:80968426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zhpzmfoo/"; http_uri; depth:10; isdataat:!1,relative; content:"bouresmau-gsf.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105325/; classtype:trojan-activity;sid:80968425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vtzd_4jlxhb6av/"; http_uri; depth:16; isdataat:!1,relative; content:"kcpaving.co.za"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105324/; classtype:trojan-activity;sid:80968424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmp/3jbxn3_nmitwlk37_trb2wuq/"; http_uri; depth:30; isdataat:!1,relative; content:"www.giancarlopuppo.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105323/; classtype:trojan-activity;sid:80968423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mp7mhva_1xvx_6tostw7/"; http_uri; depth:22; isdataat:!1,relative; content:"www.immo-en-israel.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105322/; classtype:trojan-activity;sid:80968422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cna7kt_htiad2lqt_rxdh9b/"; http_uri; depth:25; isdataat:!1,relative; content:"dowseservices.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105321/; classtype:trojan-activity;sid:80968421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wypscyue_89f0ov/"; http_uri; depth:17; isdataat:!1,relative; content:"easyaccesshs.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105320/; classtype:trojan-activity;sid:80968420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/q.png"; http_uri; depth:13; isdataat:!1,relative; content:"aoiap.org"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105319/; classtype:trojan-activity;sid:80968419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp/wp-admin/css/colors/blue/ssj.jpg"; http_uri; depth:36; isdataat:!1,relative; content:"everyonesmile.net"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105318/; classtype:trojan-activity;sid:80968418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/all-business/css/fonts/ssj.jpg"; http_uri; depth:49; isdataat:!1,relative; content:"sidebartv.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105317/; classtype:trojan-activity;sid:80968417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.x86_64"; http_uri; depth:18; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105316/; classtype:trojan-activity;sid:80968416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.x86"; http_uri; depth:15; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105315/; classtype:trojan-activity;sid:80968415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.mpsl"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105314/; classtype:trojan-activity;sid:80968414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.mips"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105313/; classtype:trojan-activity;sid:80968413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.arm7"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105312/; classtype:trojan-activity;sid:80968412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.arm6"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105311/; classtype:trojan-activity;sid:80968411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.arm5"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105310/; classtype:trojan-activity;sid:80968410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/turbo.arm"; http_uri; depth:15; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105309/; classtype:trojan-activity;sid:80968409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/destinartravel/framework/reduxcore/assets/css/vendor/elusive-icons/fonts/ssj.jpg"; http_uri; depth:99; isdataat:!1,relative; content:"www.destinarotravels.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105308/; classtype:trojan-activity;sid:80968408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/blueproxy_new/assets/css/ssj.jpg"; http_uri; depth:51; isdataat:!1,relative; content:"proxy-ipv4.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105307/; classtype:trojan-activity;sid:80968407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ssj.jpg"; http_uri; depth:8; isdataat:!1,relative; content:"agence.nucleus.odns.fr"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105306/; classtype:trojan-activity;sid:80968406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"1friend.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105305/; classtype:trojan-activity;sid:80968405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/hlzwyp1604214/de/rechnung/"; http_uri; depth:33; isdataat:!1,relative; content:"pojbez31.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105304/; classtype:trojan-activity;sid:80968404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wpugcxuucd7672455/rechnungs/rechnungsanschrift/"; http_uri; depth:48; isdataat:!1,relative; content:"survey.iniqua.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105303/; classtype:trojan-activity;sid:80968403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lvualln2568843/rechnungs-details/hilfestellung/"; http_uri; depth:48; isdataat:!1,relative; content:"nanesenie-tatu.granat.nsk.ru"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105302/; classtype:trojan-activity;sid:80968402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/bdpsqmpph8176923/bestellungen/details/"; http_uri; depth:45; isdataat:!1,relative; content:"goodtogreat.co.th"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105301/; classtype:trojan-activity;sid:80968401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/toju-ax_pooa-pkz/invoice/02033/overpayment/en_us/need-to-send-the-attachment/"; http_uri; depth:78; isdataat:!1,relative; content:"drolhovaya.at"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105300/; classtype:trojan-activity;sid:80968400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yeansn"; http_uri; depth:7; isdataat:!1,relative; content:"46.17.46.22"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105299/; classtype:trojan-activity;sid:80968399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://stats.emalaya.org/kdpfp-vyc_vbaktoyl-2e/476308/surveyquestionsus_us/open-invoices|26|c=e15f_ccc6r4gyydm7atvzqhteb_u9bqdg6rsga_mctmlzok8eytd21zwbl2spufv67vcvgc_1ptihzly0n4t9v9j8ifxdyhtzg6f6a7fv-i4e7qyi7fgi|26|typo=1/"; http_uri; depth:228; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105298/; classtype:trojan-activity;sid:80968398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://institutodrucker.edu.mx/howj-jg55_uc-aq/4072397/surveyquestionsen_en/paid-invoices|26|c=e1kftq-jl8wk9k5ppvmoxampug0skxjr8ejumzwpe6sl_nigdzymeh5ip1zuz-6ryurtwb9ye9eqcnj3fuc0mh-aajmmmy7nfpq5fqw57y_vcvhda_ymanj3-p|26|typo=1/"; http_uri; depth:234; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105297/; classtype:trojan-activity;sid:80968397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pveh-qdvr_gmdw-g8/southwire/gso70016397/us/sales-invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"www.sp11dzm.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105296/; classtype:trojan-activity;sid:80968396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/txwgz-ruqsg_oqliglzfj-ky/comet/signs/payment/notification/01/16/2019/us/invoice/"; http_uri; depth:81; isdataat:!1,relative; content:"www.lexfort.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105295/; classtype:trojan-activity;sid:80968395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eumkd-4tom_tguu-r0q/invoices/9777/44617/en_en/document-needed/"; http_uri; depth:63; isdataat:!1,relative; content:"weresolve.ca"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105294/; classtype:trojan-activity;sid:80968394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/rnyoseb6954540/dokumente/doc/"; http_uri; depth:41; isdataat:!1,relative; content:"webbs.cl"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105293/; classtype:trojan-activity;sid:80968393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/icrhjrv8928666/rechnung/doc-dokument/"; http_uri; depth:44; isdataat:!1,relative; content:"rvloans.in"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105292/; classtype:trojan-activity;sid:80968392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wyjx-fk_mjumrkazx-bbh/invoice/49271/overpayment/en/need-to-send-the-attachment/"; http_uri; depth:80; isdataat:!1,relative; content:"rmklogistics.co.za"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105291/; classtype:trojan-activity;sid:80968391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kyiil-tu_vcgkglzoe-bh/ach/paymentinfo/us_us/paid-invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"polatlimatbaa.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105290/; classtype:trojan-activity;sid:80968390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dolj-u7qwq_tke-hy/invoice/us/paid-invoice/"; http_uri; depth:43; isdataat:!1,relative; content:"nannyservices101.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105289/; classtype:trojan-activity;sid:80968389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/podmlrtcuw7550065/rechnungs/rech/"; http_uri; depth:40; isdataat:!1,relative; content:"lineageforum.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105288/; classtype:trojan-activity;sid:80968388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hbivs-wle_bcgq-gn/invoices/0343/79616/en_en/invoice-2574066-january/"; http_uri; depth:69; isdataat:!1,relative; content:"kiber-soft.net"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105287/; classtype:trojan-activity;sid:80968387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jyjtz-gq_pvogw-ak/184765/surveyquestionsen/paid-invoices/"; http_uri; depth:58; isdataat:!1,relative; content:"healers.awaken-hda.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105286/; classtype:trojan-activity;sid:80968386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/dcfydkpt8398668/gescanntes-dokument/form/"; http_uri; depth:45; isdataat:!1,relative; content:"eurolinecars.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105285/; classtype:trojan-activity;sid:80968385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xgsr-af_thsrz-o5/qe332/invoicing/us/question/"; http_uri; depth:46; isdataat:!1,relative; content:"drdoorbin.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105284/; classtype:trojan-activity;sid:80968384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/pdqbomhu0179187/rechnungs/doc/"; http_uri; depth:42; isdataat:!1,relative; content:"coworkingaruja.com.br"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105283/; classtype:trojan-activity;sid:80968383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/iprxqnxppm4929999/de/doc/"; http_uri; depth:32; isdataat:!1,relative; content:"clubdirectors.tv"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105282/; classtype:trojan-activity;sid:80968382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/abxcc0b1olp-bxgtx0qjajw42murvczk6hfkmlinhi7zhvx_fyv0hofnnum9994jkrn-74fpq3hig5qlr0-8p-a~~/"; http_uri; depth:91; isdataat:!1,relative; content:"url.emailprotection.link"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105281/; classtype:trojan-activity;sid:80968381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/messages/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"pojbez31.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105280/; classtype:trojan-activity;sid:80968380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://hjsanders.nl/transactions/2019-01|26|c=e1czs0n8uqwso1bxdyokrf7k5q-woqtsqdfjlprjzy40pt4lzof-xiwr-yg7fnvpk315knyxzrw_h1u5018bjwwwykc_pqc73rbdpb25ib|26|typo=1/"; http_uri; depth:169; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105279/; classtype:trojan-activity;sid:80968379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/2018/"; http_uri; depth:16; isdataat:!1,relative; content:"www.shot-life.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105278/; classtype:trojan-activity;sid:80968378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions/012019/"; http_uri; depth:31; isdataat:!1,relative; content:"ikinit.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105276/; classtype:trojan-activity;sid:80968376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=ifs9ztbgmqh-2bjxl9ptnymjmw8tl5nafhl4oyltdcbkrzxmtmsxr4ci1qzvvtmzw-2fw7xcrwdtfyumdfr1vl6isd6keqvwbldwjtmfbphfck0-3d_sga7yjxcun1unrlyo8hibvhgetlowmyznvzen8hx1kuk3u9odfc4cildm8s7n6nn6f7ue-2fkyzi8s0oqdh-2f-2fhzobcofe2v-2bnzy2m61w3dt4tmqqf81dqqlxjywvgcogapaihqx5noeqa5aqxcrucu-2fpd1ktmf19-2f-2flhk-2buv2du9sczrgrgg9n-2by64io-2b-2bwmeyfv2st-2bbkredza-2bmfeo7yipafsacqjfd1yxapv-2bk4cmm-3d/"; http_uri; depth:395; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105277/; classtype:trojan-activity;sid:80968377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"ayokerja.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105275/; classtype:trojan-activity;sid:80968375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=bu-2fkl8jwfhhl7vzglyn8cgnlqrqbbiqjlvldtgmpwp-2fgxjeiyldwnc-2byji8itnib2epwvy3ajrbwhy0xzc9pvw-3d-3d_t2oqnmbgkig8in2rk28k1skdgt18t3wt4cozymvhqomkt5rdsecrbvag0bdn-2fzkgpxzjyhj3wjdx-2fb6ceexbyelum4rgzfusxpudahbipunluj0ovqw1mhtz8hbi5xsx4n8yagvo1najefpoc6-2fy9k0mr-2bdoiyyb7idlkfh8guk63ul0-2bdzrioxm-2fkbaoonljeys8vzcpsfsschnv9mlfx7uszfmxvh0rrs9-2fqcwi3w-3d/"; http_uri; depth:365; isdataat:!1,relative; content:"u6547982.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105274/; classtype:trojan-activity;sid:80968374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dreyym/transaktion/dez2018/"; http_uri; depth:28; isdataat:!1,relative; content:"nongnghiepgiaphat.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105273/; classtype:trojan-activity;sid:80968373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_information/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"niteshagrico.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105272/; classtype:trojan-activity;sid:80968372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/2019-01/"; http_uri; depth:27; isdataat:!1,relative; content:"marshalstar.com.ng"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105271/; classtype:trojan-activity;sid:80968371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"clubmestre.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105270/; classtype:trojan-activity;sid:80968370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/dez2018/"; http_uri; depth:18; isdataat:!1,relative; content:"cfood-casa.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105269/; classtype:trojan-activity;sid:80968369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"capitalprivateasset.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105268/; classtype:trojan-activity;sid:80968368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/dez2018/"; http_uri; depth:19; isdataat:!1,relative; content:"baza-dekora.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105267/; classtype:trojan-activity;sid:80968367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105266/; classtype:trojan-activity;sid:80968366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105265/; classtype:trojan-activity;sid:80968365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105264/; classtype:trojan-activity;sid:80968364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105263/; classtype:trojan-activity;sid:80968363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105262/; classtype:trojan-activity;sid:80968362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105261/; classtype:trojan-activity;sid:80968361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105260/; classtype:trojan-activity;sid:80968360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105259/; classtype:trojan-activity;sid:80968359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105258/; classtype:trojan-activity;sid:80968358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105257/; classtype:trojan-activity;sid:80968357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105256/; classtype:trojan-activity;sid:80968356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105255/; classtype:trojan-activity;sid:80968355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xd.arm7"; http_uri; depth:8; isdataat:!1,relative; content:"185.244.25.168"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105254/; classtype:trojan-activity;sid:80968354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cd/0/get/azlblesnrqottn0z18t-7d8e0eztthjxlwdjrl6ty3h6uwhbwcx7zdgs-p4uzrpwil84blvuksdxkbqwo7my0bux3bxmd_kr1lgajo9lv9lmhgo0fay1cqizwmkwst8srt3iv9ysbps4kzw5lsbalydntf1m7epjwbjkakqjbdkqhy02tz-foycryfwezzajqmy/filedl=1"; http_uri; depth:214; isdataat:!1,relative; content:"ucb3ae1e320c02003c2f7d87f839.dl.dropboxusercontent.com"; http_host; depth:54; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105253/; classtype:trojan-activity;sid:80968353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d2gp7tj_xfpr2/"; http_uri; depth:15; isdataat:!1,relative; content:"ipbempreende.com.br"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105252/; classtype:trojan-activity;sid:80968352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=qndq4jjtih8bhf5kr8xpq4qqa6qfw81wtpthe-2by2dz5ixz3mq3q-2b-2fnjy1xe2zfktxmttjzgmk5idhnx-2f9pzkeq-3d-3d_4keduf-2fjgpr9pwsuvdounecsxkdocv9prdmdd13wteckwzhaplbqwjm1uep-2bcjdifzrq-2bqtuc3kuu6-2bftxf-2bp2e0sehb0ovzvw7gvyrvseupjmud6hikmgjn2phzapu2dwtceva4h6hvbcbjp05fq7lznftjebunzhqurvf9hzevwtmy96vf1wfrlmvgbxje6ie-2barydm1j41gddrvunea-3d-3d/"; http_uri; depth:347; isdataat:!1,relative; content:"u7188081.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105251/; classtype:trojan-activity;sid:80968351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/u3l2amznme/"; http_uri; depth:12; isdataat:!1,relative; content:"estab.org.tr"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105250/; classtype:trojan-activity;sid:80968350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pipk4ilrd/"; http_uri; depth:11; isdataat:!1,relative; content:"antique-carpets.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105249/; classtype:trojan-activity;sid:80968349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bcabyiw/"; http_uri; depth:9; isdataat:!1,relative; content:"divametalart.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105248/; classtype:trojan-activity;sid:80968348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"2benerji.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105247/; classtype:trojan-activity;sid:80968347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/01_19/"; http_uri; depth:18; isdataat:!1,relative; content:"aramanfood.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105245/; classtype:trojan-activity;sid:80968345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"zonnestroomtilburg.nl"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105246/; classtype:trojan-activity;sid:80968346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/url=http%3a%2f%2fsendgrid2.oicgulf.ae%2fwf%2fclick%3fupn%3dfbxereqyiwoliv6nv7udtfusdjbayrpj4ohwrd2wwo-2bkgk5fym1vrho9lqfzaaxucfgrwfwpitfx6nmwvvqqoa-3d-3d_zymkta4sgkmmpieqwk-2f8qzphizh3nqeik5ud1frakcdr9j5qsg2icu0giceyhpr0avo6yt9-2fly5umt4xxcuick9zegn4ijq0121cz2ycoxurifwdqkdkevmiau15mpecc7eilll-2fynzogu1nb7kbxhoycclpply8jh5kyph9t-2bhl81-2fgazhbc-2ffauobyeszibo-2bfb3c8ljqjahq84ogkspfuneintcodgnblt3i0i44-3d|26|amp|3b|data=02%7c01%7cpaul.cornelison%40cerner.com%7cf882645333ea46b0fadd08d67cad1123%7cfbc493a80d244454a815f4ca58e8c09d%7c0%7c0%7c636833480093430394|26|amp|3b|sdata=alzan%2ftm6cxq%2bloh%2bxulmjus9h8cxwzfi5tecdwmkd4%3d|26|amp|3b|reserved=0/"; http_uri; depth:651; isdataat:!1,relative; content:"na01.safelinks.protection.outlook.com"; http_host; depth:37; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105244/; classtype:trojan-activity;sid:80968344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bn/wp-content/kwmw-wsoo_jydw-b2t/paymentstatus/en_en/277-20-468894-239-277-20-468894-861/"; http_uri; depth:90; isdataat:!1,relative; content:"www.mother-earth.net"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105243/; classtype:trojan-activity;sid:80968343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yddmu-gj_vswmngxhe-dp/us/outstanding-invoices/"; http_uri; depth:47; isdataat:!1,relative; content:"salam-ngo.ir"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105242/; classtype:trojan-activity;sid:80968342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cpdj-pf53v_mau-us/invoice/9255/overpayment/en_en/open-past-due-orders/"; http_uri; depth:71; isdataat:!1,relative; content:"kamdhenu.technoexam.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105241/; classtype:trojan-activity;sid:80968341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dbhn-lvqao_nerxwpzxa-r4q/en_en/document-needed/"; http_uri; depth:48; isdataat:!1,relative; content:"fhclinica.com.br"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105240/; classtype:trojan-activity;sid:80968340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qpym-lnc3_jbrjwrvoo-11a/paymentstatus/en_en/companies-invoice-4907735/"; http_uri; depth:71; isdataat:!1,relative; content:"billfritzjr.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105239/; classtype:trojan-activity;sid:80968339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assets/images/thdng-rl7v_kg-mrc/comet/signs/payment/notification/01/18/2019/en_us/0-past-due-invoices/"; http_uri; depth:103; isdataat:!1,relative; content:"airshot.ir"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105238/; classtype:trojan-activity;sid:80968338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"zbancuri.ro"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105237/; classtype:trojan-activity;sid:80968337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/documents/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"www.3dyazicimarket.com.tr"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105236/; classtype:trojan-activity;sid:80968336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"takeiteasy.live"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105235/; classtype:trojan-activity;sid:80968335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"radintrader.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105234/; classtype:trojan-activity;sid:80968334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"pmracing.it"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105233/; classtype:trojan-activity;sid:80968333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"isoblogs.ir"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105232/; classtype:trojan-activity;sid:80968332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/55pkhuo/amazon/en/payments/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"isikbahce.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105231/; classtype:trojan-activity;sid:80968331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"eriklanger.it"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105230/; classtype:trojan-activity;sid:80968330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/documents/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"airmanship.nl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105229/; classtype:trojan-activity;sid:80968329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/szrblze/amazon/en/clients/012019/"; http_uri; depth:34; isdataat:!1,relative; content:"aimypie.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105228/; classtype:trojan-activity;sid:80968328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/s/p46y9s7tjikmq8y/scan_outputa64260.zipdl=1"; http_uri; depth:44; isdataat:!1,relative; content:"www.dropbox.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105227/; classtype:trojan-activity;sid:80968327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pipk4ilrd"; http_uri; depth:10; isdataat:!1,relative; content:"antique-carpets.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105226/; classtype:trojan-activity;sid:80968326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/gcjhy-w4w_batbe-es2/inv/4964296forpo/20487666479/us_us/open-past-due-orders/"; http_uri; depth:89; isdataat:!1,relative; content:"teacherinnovator.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105225/; classtype:trojan-activity;sid:80968325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gscwr-q5_gcghnsdgf-51p/invoices/22455/56879/en_en/7-past-due-invoices/"; http_uri; depth:71; isdataat:!1,relative; content:"growwiththerapy.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105224/; classtype:trojan-activity;sid:80968324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zbqy-ct_xjcdyeqtx-4d/wv689/invoicing/us/invoice-for-o/f-01/17/2019/"; http_uri; depth:68; isdataat:!1,relative; content:"bmzakochani.pl"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105223/; classtype:trojan-activity;sid:80968323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qxqn-tt_wxu-9p/p46/invoicing/en_us/open-invoices/"; http_uri; depth:50; isdataat:!1,relative; content:"auminhtriet.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105222/; classtype:trojan-activity;sid:80968322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/01_19/"; http_uri; depth:31; isdataat:!1,relative; content:"www.iwsgct18.in"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105221/; classtype:trojan-activity;sid:80968321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/details/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"www.gkif.net"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105220/; classtype:trojan-activity;sid:80968320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"universalskadedyr.dk"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105219/; classtype:trojan-activity;sid:80968319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"saboreslibres.asertiva.cl"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105218/; classtype:trojan-activity;sid:80968318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/attachments/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"ivydental.vn"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105217/; classtype:trojan-activity;sid:80968317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"chalespaubrasil.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105216/; classtype:trojan-activity;sid:80968316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"cerrajeria-sabbath.holy-animero.com"; http_host; depth:35; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105215/; classtype:trojan-activity;sid:80968315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gzvv-22omv_aiqzybvk-aj/en/question/"; http_uri; depth:36; isdataat:!1,relative; content:"demo.trydaps.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105214/; classtype:trojan-activity;sid:80968314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a/1/z7cvpvkphpoypvu6lsy5dx5ga2owbltxq2x9tgxzpbe=d=qikkwz5nr3c3u9u7nmhgfhyzfs1qmj5oqfqlxsmvovnzbtze5uzgeaetslvia5d5p6q9jvkp8lxrehh23biwcfh2fgpyenkm2acyj9ay5obapixsj8-xpwtgmb8mnz_3a7pedg4pxu9ajdk-egrcb_ottfxmcx-hfr926oy_foqu_zss08ddasqsfw0cawl8lcztvqdbbs4mbbabxwixpxbggsgqyf56-o5pkitgwof7gpezxpel6s4axxgij1t_hfkoqxfm4dzmzq2f1qprs7sjfvfy91hq4_3q8lbilutuuviersu-romoqnbo6jz6sldy1dwnz-ohfcerzsez1sg8slfyygzoxp3qjdc-jcwkngeexzyi2jtnqfowxrnnvctfyb9cwslmc4lxlomeyxp0y52hht9r|26|u=http://estylos.com.gt/vryhs-lk_yygw-yg/invoicecodechanges/us_us/paid-invoice/"; http_uri; depth:550; isdataat:!1,relative; content:"clicktime.symantec.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105213/; classtype:trojan-activity;sid:80968313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tjxff-j1hc_zdfmnrxab-6gj/ach/paymentinfo/en_en/document-needed/"; http_uri; depth:64; isdataat:!1,relative; content:"befounddigitalmarketing.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105212/; classtype:trojan-activity;sid:80968312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jyeci-g88ru_dpzcixk-f5x/invoicecodechanges/us/invoice-number-581670/"; http_uri; depth:69; isdataat:!1,relative; content:"moradikermani.oilyplus.ir"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105211/; classtype:trojan-activity;sid:80968311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dfi5jgz_wjwyzgt/"; http_uri; depth:17; isdataat:!1,relative; content:"biometricsystems.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105210/; classtype:trojan-activity;sid:80968310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/povdt-5tj_trqlw-2c/invoice/en_en/outstanding-invoices/"; http_uri; depth:55; isdataat:!1,relative; content:"khsecurity.sg"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105209/; classtype:trojan-activity;sid:80968309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"alovakiil.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105207/; classtype:trojan-activity;sid:80968307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"replorient.fr"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105208/; classtype:trojan-activity;sid:80968308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"indumentariastore.com.br"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105206/; classtype:trojan-activity;sid:80968306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/attachments/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"web63.s150.goserver.host"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105205/; classtype:trojan-activity;sid:80968305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=fx-2filfzr6cacyc-2fezuu5gobfsgo-2forrzdmkybkg1z9uwiut4wbihzi2dmohwglacpgit4yakn0tpdagdlkagig-3d-3d_sap2mmimgdwludllezl9pbvrjxziksulq0cn0sueyibm7cpycv-2fmils5xnjxgsn6pr1axjj4gwucm3b-2fhotbs04bjul8enndgh24vttjaaj3diy32eiy-2b5tonbw9ynitfomqvtdce-2b49uxp8-2bb5sa88-2bpjbdx-2beeekwk4wwoydi86nrf08eljmwyqsncruhwh1k-2b6u-2boao58xqz3x3dtcq-3d-3d/"; http_uri; depth:351; isdataat:!1,relative; content:"u7648241.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105204/; classtype:trojan-activity;sid:80968304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/documents/2019-01/"; http_uri; depth:26; isdataat:!1,relative; content:"ubocapacitacion.cl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105203/; classtype:trojan-activity;sid:80968303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/012019/"; http_uri; depth:32; isdataat:!1,relative; content:"www.thequoruminitiative.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105202/; classtype:trojan-activity;sid:80968302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"forexpedia.tradewithrobbie.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105201/; classtype:trojan-activity;sid:80968301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_information/01_19/"; http_uri; depth:37; isdataat:!1,relative; content:"kientrucdep.club"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105200/; classtype:trojan-activity;sid:80968300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/documents/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"tesla-power.pl"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105199/; classtype:trojan-activity;sid:80968299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=fx-2filfzr6cacyc-2fezuu5gobfsgo-2forrzdmkybkg1z9uwiut4wbihzi2dmohwglacpgit4yakn0tpdagdlkagig-3d-3d_sap2mmimgdwludllezl9pbvrjxziksulq0cn0sueyibm7cpycv-2fmils5xnjxgsn6oibmrpescnwajibgyhvzyu8ljrz8gtfenmma1s4nb8ovbmkitxpurlszcggrszguibb5yidrvayyvq-2bzloqymb1cw0n84nrwmo9j56mrgf-2bzp8qhwgbjl0peszmefko4anvkuqfur0m-2frevhojybpw-3d-3d/"; http_uri; depth:341; isdataat:!1,relative; content:"u7648241.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105198/; classtype:trojan-activity;sid:80968298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/documents/2019-01/"; http_uri; depth:26; isdataat:!1,relative; content:"mandselectricalcontractors.co.za"; http_host; depth:32; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105197/; classtype:trojan-activity;sid:80968297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/01_19/"; http_uri; depth:35; isdataat:!1,relative; content:"dmoving.co.il"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105196/; classtype:trojan-activity;sid:80968296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_information/01_19/"; http_uri; depth:37; isdataat:!1,relative; content:"2nell.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105195/; classtype:trojan-activity;sid:80968295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/details/2019-01/"; http_uri; depth:27; isdataat:!1,relative; content:"www.pkmsolutions.com.my"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105194/; classtype:trojan-activity;sid:80968294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/01_19/"; http_uri; depth:38; isdataat:!1,relative; content:"rosoft.co.uk"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105193/; classtype:trojan-activity;sid:80968293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"sarahleighroddis.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105192/; classtype:trojan-activity;sid:80968292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bgijgzkiuj/"; http_uri; depth:12; isdataat:!1,relative; content:"etsybizthai.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105191/; classtype:trojan-activity;sid:80968291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-snapshots/amazon/clients/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"lombardz.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105190/; classtype:trojan-activity;sid:80968290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"activartcompany.it"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105189/; classtype:trojan-activity;sid:80968289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/documents/012019/"; http_uri; depth:25; isdataat:!1,relative; content:"uat.convencionmoctezuma.com.mx"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105188/; classtype:trojan-activity;sid:80968288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=2uxnteh7zdqmhuvjape-2b0xcc7dadtt-2btogmnquwwkazh6dcl36ly4ipwcxdoqglpw6vansm2fnmh8gzcgzl2za-3d-3d_5z3xbqwsn2-2fvmfem7b17h4fmpp2yaf02nkm49dxqbtsfsrxf75zykmih-2b7rqceya88luzvddnfkedhbfj4fxxvi6kapcj-2b6sic-2fjs342ek4est3mtejikt-2ba2uahxhqeerhpv84t9tmcy7nk6sink8wr3iffktxuhrhnom9dvoipqwliuky9yqbbxgezyc6zonkuaurcc26car6q6e-2bs4xyb-2fxlqvgupdrn-2bhoq-2bpgm-3d/"; http_uri; depth:367; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105187/; classtype:trojan-activity;sid:80968287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/st/smk1101.exe"; http_uri; depth:15; isdataat:!1,relative; content:"www.fribola.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105186/; classtype:trojan-activity;sid:80968286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/leggmzt771/jsmk15011.exe"; http_uri; depth:25; isdataat:!1,relative; content:"www.fribola.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105185/; classtype:trojan-activity;sid:80968285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"www.smsfgoldbullion.com.au"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105184/; classtype:trojan-activity;sid:80968284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"www.kiber-soft.ru"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105183/; classtype:trojan-activity;sid:80968283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"www.curiouseli.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105182/; classtype:trojan-activity;sid:80968282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgi-bin/amazon/payments/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"tenkabito.site"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105181/; classtype:trojan-activity;sid:80968281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/details/2019-01/"; http_uri; depth:24; isdataat:!1,relative; content:"stryvebiltongorders.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105180/; classtype:trojan-activity;sid:80968280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_transactions/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"servetech.co.za"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105179/; classtype:trojan-activity;sid:80968279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dbmm0yd/amazon/en/attachments/2019-01/"; http_uri; depth:39; isdataat:!1,relative; content:"seogap.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105178/; classtype:trojan-activity;sid:80968278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"ra-services.fr"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105177/; classtype:trojan-activity;sid:80968277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_transactions/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"qwerty-client.co.za"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105176/; classtype:trojan-activity;sid:80968276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"naama-jewelry.co.il"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105175/; classtype:trojan-activity;sid:80968275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"mail.manzimining.co.za"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105174/; classtype:trojan-activity;sid:80968274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"mail.impacttfs.com.au"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105173/; classtype:trojan-activity;sid:80968273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/2019-01/"; http_uri; depth:34; isdataat:!1,relative; content:"juniorcollegesprimary.co.za"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105172/; classtype:trojan-activity;sid:80968272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/messages/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"etsybizthai.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105171/; classtype:trojan-activity;sid:80968271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"asertiva.cl"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105170/; classtype:trojan-activity;sid:80968270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"abscaffold.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105169/; classtype:trojan-activity;sid:80968269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nvjnq-kkn_uwn-fiq/ref/9232315245us_us/paid-invoice-credit-card-receipt/"; http_uri; depth:72; isdataat:!1,relative; content:"www.i-deti.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105168/; classtype:trojan-activity;sid:80968268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vtcv-vct0_ou-zjp/803067/surveyquestionsus/companies-invoice-09329127/"; http_uri; depth:70; isdataat:!1,relative; content:"www.forma-31.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105167/; classtype:trojan-activity;sid:80968267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kpzkw-gmnam_maq-eg/comet/signs/payment/notification/01/17/2019/en_en/invoice-number-85877/"; http_uri; depth:91; isdataat:!1,relative; content:"reseau38.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105166/; classtype:trojan-activity;sid:80968266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jygrs-tt_puc-1x/ext/paymentstatus/us/invoice-for-d/l-01/17/2019/"; http_uri; depth:65; isdataat:!1,relative; content:"rentalagreement.aartimkarande.in"; http_host; depth:32; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105165/; classtype:trojan-activity;sid:80968265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vqeom-vuse_rbba-7z/invoices/6784/4291/en_us/outstanding-invoices/"; http_uri; depth:66; isdataat:!1,relative; content:"qhoteloldcity.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105164/; classtype:trojan-activity;sid:80968264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/js/widgets/kzymb-ef_cvzcce-hzy/comet/signs/payment/notification/01/17/2019/en_en/new-ord/"; http_uri; depth:99; isdataat:!1,relative; content:"millennialsberkarya.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105163/; classtype:trojan-activity;sid:80968263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mdzt-my0og_jnccojln-5kv/ext/paymentstatus/us/companies-invoice-2556548/"; http_uri; depth:72; isdataat:!1,relative; content:"kashholon.co.il"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105162/; classtype:trojan-activity;sid:80968262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ucin-lz_ccknj-5u5/en/invoices-attached/"; http_uri; depth:40; isdataat:!1,relative; content:"gostar.vn"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105161/; classtype:trojan-activity;sid:80968261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zwzfr-he_azvqirdxi-jms/p85/invoicing/us_us/invoice-for-d/r-01/17/2019/"; http_uri; depth:71; isdataat:!1,relative; content:"firstclassedu.com.ng"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105160/; classtype:trojan-activity;sid:80968260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vryhs-lk_yygw-yg/invoicecodechanges/us_us/paid-invoice/"; http_uri; depth:56; isdataat:!1,relative; content:"estylos.com.gt"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105159/; classtype:trojan-activity;sid:80968259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cemu-rnvlm_fyzp-ve/inv/4353161709/us/past-due-invoices/"; http_uri; depth:56; isdataat:!1,relative; content:"birdychat.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105157/; classtype:trojan-activity;sid:80968257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/irctz-yak_yelimi-em5/southwire/pld919931638/en_en/invoices-overdue/"; http_uri; depth:68; isdataat:!1,relative; content:"checkreview.ooo"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105158/; classtype:trojan-activity;sid:80968258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bhxb-2d_ybk-alx/invoices/51729/5304/us/invoice-41020439-january/"; http_uri; depth:65; isdataat:!1,relative; content:"bancanhovinhomes.vn"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105156/; classtype:trojan-activity;sid:80968256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ucexport=download|26|confirm=no_antivirus|26|id=1xhfb3mn4ryigopgdkhijvhzdpxxv0eny"; http_uri; depth:82; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105154/; classtype:trojan-activity;sid:80968254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ucexport=download|26|confirm=no_antivirus|26|id=1aepzxfx7_l4jvvinadozb8nfbzcnqd93"; http_uri; depth:82; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105153/; classtype:trojan-activity;sid:80968253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/olala/get.php"; http_uri; depth:14; isdataat:!1,relative; content:"205.185.117.44"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105152/; classtype:trojan-activity;sid:80968252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lqfz-vz8_mzvw-mvc/inv/33335forpo/4842918507/en/invoice-corrections-for-37/65/"; http_uri; depth:78; isdataat:!1,relative; content:"escortdubaiexpo.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105151/; classtype:trojan-activity;sid:80968251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vehp-i9lhw_nuhkrf-klm/910950/surveyquestionsen_en/invoice-for-you/"; http_uri; depth:67; isdataat:!1,relative; content:"coletivogaratuja.com.br"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105150/; classtype:trojan-activity;sid:80968250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/enlightenment/js/sserv.jpg"; http_uri; depth:45; isdataat:!1,relative; content:"seproimporta.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105149/; classtype:trojan-activity;sid:80968249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/talon/css/bootstrap/sserv.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"fjorditservices.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105148/; classtype:trojan-activity;sid:80968248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/thegem/images/admin-images/icons/zinf.jpg"; http_uri; depth:60; isdataat:!1,relative; content:"trendingshirt.shop"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105147/; classtype:trojan-activity;sid:80968247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/enlightenment/fonts/sserv.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"seproimporta.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105146/; classtype:trojan-activity;sid:80968246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/thegem/gem-templates/blog/sserv.jpg"; http_uri; depth:54; isdataat:!1,relative; content:"trendingshirt.shop"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105145/; classtype:trojan-activity;sid:80968245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/talon/images/sserv.jpg"; http_uri; depth:41; isdataat:!1,relative; content:"fjorditservices.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105144/; classtype:trojan-activity;sid:80968244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/thegem/images/admin-images/icons/sserv.jpg"; http_uri; depth:61; isdataat:!1,relative; content:"trendingshirt.shop"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105143/; classtype:trojan-activity;sid:80968243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgi-bin/sserv.jpg"; http_uri; depth:18; isdataat:!1,relative; content:"threxng.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105142/; classtype:trojan-activity;sid:80968242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/magazine-point/includes/customizer/ssj.jpg"; http_uri; depth:61; isdataat:!1,relative; content:"threxng.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105140/; classtype:trojan-activity;sid:80968240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/thegem/css/jquery-ui/base/images/ssj.jpg"; http_uri; depth:59; isdataat:!1,relative; content:"trendingshirt.shop"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105141/; classtype:trojan-activity;sid:80968241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/talon/template-parts/sserv.jpg"; http_uri; depth:49; isdataat:!1,relative; content:"fjorditservices.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105139/; classtype:trojan-activity;sid:80968239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/enlightenment/languages/sserv.jpg"; http_uri; depth:52; isdataat:!1,relative; content:"seproimporta.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105138/; classtype:trojan-activity;sid:80968238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kyiil-tu_vcgkglzoe-bh/ach/paymentinfo/us_us/paid-invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"www.polatlimatbaa.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105137/; classtype:trojan-activity;sid:80968237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kwwri-kl0s_q-gt/ext/paymentstatus/en_us/service-invoice/"; http_uri; depth:57; isdataat:!1,relative; content:"photomoura.ir"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105136/; classtype:trojan-activity;sid:80968236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"wordpress-147603-423492.cloudwaysapps.com"; http_host; depth:41; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105135/; classtype:trojan-activity;sid:80968235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/01_19/"; http_uri; depth:37; isdataat:!1,relative; content:"media.wi-fly.net"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105134/; classtype:trojan-activity;sid:80968234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/talon/icons/fonts/sserv.jpg"; http_uri; depth:46; isdataat:!1,relative; content:"fjorditservices.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105133/; classtype:trojan-activity;sid:80968233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/enlightenment/fonts/ssj.jpg"; http_uri; depth:46; isdataat:!1,relative; content:"seproimporta.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105132/; classtype:trojan-activity;sid:80968232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105131/; classtype:trojan-activity;sid:80968231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105130/; classtype:trojan-activity;sid:80968230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105129/; classtype:trojan-activity;sid:80968229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.spc"; http_uri; depth:14; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105128/; classtype:trojan-activity;sid:80968228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105127/; classtype:trojan-activity;sid:80968227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/details/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"www.petrina.com.br"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105126/; classtype:trojan-activity;sid:80968226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/01_19/"; http_uri; depth:32; isdataat:!1,relative; content:"www.mesa.so"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105125/; classtype:trojan-activity;sid:80968225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"www.h2o-wash.co.za"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105124/; classtype:trojan-activity;sid:80968224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/details/012019/"; http_uri; depth:26; isdataat:!1,relative; content:"www.editocom.info"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105123/; classtype:trojan-activity;sid:80968223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"theschooltoolbox.co.za"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105122/; classtype:trojan-activity;sid:80968222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/01_19/"; http_uri; depth:31; isdataat:!1,relative; content:"phelieuasia.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105121/; classtype:trojan-activity;sid:80968221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/2019-01/"; http_uri; depth:24; isdataat:!1,relative; content:"nbhgroup.in"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105120/; classtype:trojan-activity;sid:80968220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments/2019-01/"; http_uri; depth:25; isdataat:!1,relative; content:"manningsschoolja.org"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105119/; classtype:trojan-activity;sid:80968219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"liitgroup.co.za"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105118/; classtype:trojan-activity;sid:80968218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"histyle-eg.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105116/; classtype:trojan-activity;sid:80968216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"jobgetter.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105117/; classtype:trojan-activity;sid:80968217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"dplogistics.com.pl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105115/; classtype:trojan-activity;sid:80968215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"daliahafez.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105114/; classtype:trojan-activity;sid:80968214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"crolanbicycle.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105113/; classtype:trojan-activity;sid:80968213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/documents/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"artemvqe.beget.tech"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105112/; classtype:trojan-activity;sid:80968212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/antc-irs_yijcdb-skn/en/invoice/"; http_uri; depth:32; isdataat:!1,relative; content:"www.rokiatraore.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105111/; classtype:trojan-activity;sid:80968211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rxqy-topx_bkl-k1/invoice/8882088/en_en/need-to-send-the-attachment/"; http_uri; depth:68; isdataat:!1,relative; content:"www.hjsanders.nl"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105110/; classtype:trojan-activity;sid:80968210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ffjo-pu_co-lth/ach/paymentadvice/us/service-invoice/"; http_uri; depth:53; isdataat:!1,relative; content:"towerchina.com.cn"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105109/; classtype:trojan-activity;sid:80968209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zentw-6g_zh-pwe/en/overdue-payment/"; http_uri; depth:36; isdataat:!1,relative; content:"starbilisim.net"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105108/; classtype:trojan-activity;sid:80968208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/flcy-robzv_j-cfh/en/important-please-read/"; http_uri; depth:43; isdataat:!1,relative; content:"mingroups.vn"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105107/; classtype:trojan-activity;sid:80968207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/adgbz-zb_gix-wo/y558/invoicing/en/invoices-attached/"; http_uri; depth:53; isdataat:!1,relative; content:"malin-kdo.fr"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105106/; classtype:trojan-activity;sid:80968206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wgcbz-0oykr_tat-ai/invoicecodechanges/us/service-invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"logopediaromaeur.it"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105105/; classtype:trojan-activity;sid:80968205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lazez-l0qd_zcglb-yg/inv/7406599000/us_us/outstanding-invoices/"; http_uri; depth:63; isdataat:!1,relative; content:"kadinveyasam.org"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105104/; classtype:trojan-activity;sid:80968204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/howj-jg55_uc-aq/4072397/surveyquestionsen_en/paid-invoices/"; http_uri; depth:60; isdataat:!1,relative; content:"institutodrucker.edu.mx"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105103/; classtype:trojan-activity;sid:80968203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sasb-6b0_expniy-ci/invoice/888600786/en/0-past-due-invoices/"; http_uri; depth:61; isdataat:!1,relative; content:"hungryman.vi-bus.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105102/; classtype:trojan-activity;sid:80968202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/untt-ha_yfhuoyufh-3ls/ach/paymentinfo/us_us/paid-invoice-credit-card-receipt/"; http_uri; depth:87; isdataat:!1,relative; content:"daddyospizzasubs.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105101/; classtype:trojan-activity;sid:80968201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jixi-u77g_yzfwm-jdw/ach/paymentadvice/us_us/2-past-due-invoices/"; http_uri; depth:65; isdataat:!1,relative; content:"condosbysmdc.ph"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105100/; classtype:trojan-activity;sid:80968200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cjojm-3jl19_wovwcuso-hg/invoices/51963/4349/en_us/paid-invoice/"; http_uri; depth:64; isdataat:!1,relative; content:"cheapavia.ga"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105099/; classtype:trojan-activity;sid:80968199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pvfsv-gx2wa_hkknhl-km/invoicecodechanges/us/invoice-6117660/"; http_uri; depth:61; isdataat:!1,relative; content:"amimakingmoneyonline.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105098/; classtype:trojan-activity;sid:80968198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/vva1report.hta"; http_uri; depth:20; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105097/; classtype:trojan-activity;sid:80968197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.mips"; http_uri; depth:15; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105095/; classtype:trojan-activity;sid:80968195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.x86"; http_uri; depth:14; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105096/; classtype:trojan-activity;sid:80968196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105093/; classtype:trojan-activity;sid:80968193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105094/; classtype:trojan-activity;sid:80968194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/karu.arm"; http_uri; depth:14; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105092/; classtype:trojan-activity;sid:80968192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/thegem/inc/image-generator/ssj.jpg"; http_uri; depth:53; isdataat:!1,relative; content:"trendingshirt.shop"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105091/; classtype:trojan-activity;sid:80968191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/magazine-point/js/ssj.jpg"; http_uri; depth:44; isdataat:!1,relative; content:"threxng.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105090/; classtype:trojan-activity;sid:80968190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/enlightenment/js/ssj.jpg"; http_uri; depth:43; isdataat:!1,relative; content:"seproimporta.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105089/; classtype:trojan-activity;sid:80968189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/talon/images/ssj.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"fjorditservices.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105088/; classtype:trojan-activity;sid:80968188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/assets/css/ssj.jpg"; http_uri; depth:53; isdataat:!1,relative; content:"bv7a5s.myraidbox.de"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105087/; classtype:trojan-activity;sid:80968187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/cache/minify/ssj.jpg"; http_uri; depth:32; isdataat:!1,relative; content:"researchdania.in"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105086/; classtype:trojan-activity;sid:80968186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/ssj.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"qsongchihotel.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105085/; classtype:trojan-activity;sid:80968185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/elementor/assets/css/templates/ssj.jpg"; http_uri; depth:50; isdataat:!1,relative; content:"diota-ar.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105084/; classtype:trojan-activity;sid:80968184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zpoo/vva.exe"; http_uri; depth:13; isdataat:!1,relative; content:"rogamaquinaria.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105083/; classtype:trojan-activity;sid:80968183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"rnexpress.ir"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105082/; classtype:trojan-activity;sid:80968182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://stats.emalaya.org/kdpfp-vyc_vbaktoyl-2e/476308/surveyquestionsus_us/open-invoices|26|c=e,1,5f_ccc6r4gyydm7atvzqhteb_u9bqdg6rsga_mctmlzok8eytd21zwbl2spufv67vcvgc_1ptihzly0n4t9v9j8ifxdyhtzg6f6a7fv-i4e7qyi7fgi,|26|typo=1/"; http_uri; depth:231; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105081/; classtype:trojan-activity;sid:80968181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://institutodrucker.edu.mx/howj-jg55_uc-aq/4072397/surveyquestionsen_en/paid-invoices|26|c=e,1,kftq-jl8wk9k5ppvmoxampug0skxjr8ejumzwpe6sl_nigdzymeh5ip1zuz-6ryurtwb9ye9eqcnj3fuc0mh-aajmmmy7nfpq5fqw57y_vcvhda_ymanj3-p|26|typo=1/"; http_uri; depth:236; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105080/; classtype:trojan-activity;sid:80968180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rqes-l1_niptrhy-zk/invoice/us_us/question/"; http_uri; depth:43; isdataat:!1,relative; content:"cindycastellanos.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105079/; classtype:trojan-activity;sid:80968179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mqvec-d8tre_r-9rk/inv/76965924789/en/inv-277031-po-5x526676/"; http_uri; depth:61; isdataat:!1,relative; content:"dirc-madagascar.ru"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105078/; classtype:trojan-activity;sid:80968178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/imnu-5p_mgmpfewr-kq/invoice/9046/overpayment/en_en/scan/"; http_uri; depth:57; isdataat:!1,relative; content:"histolabdiagnostico.com.br"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105077/; classtype:trojan-activity;sid:80968177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/owbpm-cz_uy-lna/en_us/6-past-due-invoices/"; http_uri; depth:43; isdataat:!1,relative; content:"blogg.postvaxel.se"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105076/; classtype:trojan-activity;sid:80968176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ajnqt-vb_kgafxwsfk-ze/invoices/0106/65482/en/invoice-6749049-january/"; http_uri; depth:70; isdataat:!1,relative; content:"wb88indo.win"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105075/; classtype:trojan-activity;sid:80968175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/movvv-snhu_aoovha-zsg/inv/6740641forpo/88220644916/en_en/open-past-due-orders/"; http_uri; depth:79; isdataat:!1,relative; content:"southgatetower.cdd.vn"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105074/; classtype:trojan-activity;sid:80968174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8u7sdim/"; http_uri; depth:9; isdataat:!1,relative; content:"wp.corelooknung.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105073/; classtype:trojan-activity;sid:80968173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/v601pqkuq/"; http_uri; depth:11; isdataat:!1,relative; content:"curiouseli.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105072/; classtype:trojan-activity;sid:80968172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bgijgzkiuj/"; http_uri; depth:12; isdataat:!1,relative; content:"www.etsybizthai.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105071/; classtype:trojan-activity;sid:80968171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eajtls0gfg/"; http_uri; depth:12; isdataat:!1,relative; content:"www.soloftp.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105070/; classtype:trojan-activity;sid:80968170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/0ccrgiloi/"; http_uri; depth:11; isdataat:!1,relative; content:"refinisherstrading.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105069/; classtype:trojan-activity;sid:80968169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1"; http_uri; depth:2; isdataat:!1,relative; content:"thequeso.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105066/; classtype:trojan-activity;sid:80968166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2"; http_uri; depth:2; isdataat:!1,relative; content:"thequeso.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105067/; classtype:trojan-activity;sid:80968167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3"; http_uri; depth:2; isdataat:!1,relative; content:"thequeso.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105068/; classtype:trojan-activity;sid:80968168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/googleanalytics/3"; http_uri; depth:37; isdataat:!1,relative; content:"sutherlandshireuav.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105065/; classtype:trojan-activity;sid:80968165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"brosstayhype.co.za"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105064/; classtype:trojan-activity;sid:80968164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"clubmestre.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105063/; classtype:trojan-activity;sid:80968163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"ciadasluvas.com.br"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105062/; classtype:trojan-activity;sid:80968162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/attachments/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"shopphotographer.co.za"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105061/; classtype:trojan-activity;sid:80968161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/messages/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"www.asertiva.cl"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105060/; classtype:trojan-activity;sid:80968160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/details/012019/"; http_uri; depth:26; isdataat:!1,relative; content:"mmms.at"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105059/; classtype:trojan-activity;sid:80968159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"roytransfer.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105058/; classtype:trojan-activity;sid:80968158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"squawkcoffeehouse.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105057/; classtype:trojan-activity;sid:80968157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=ozdr6ti7-2fayttoozfxiark2xm4-2bfamuvp6owqoumf4i051dejfoiysd0gngysydc7oqf-2b6-2bfxvvimkte-2fhbq5w-3d-3d_rmjxgqkxyk3cmschs2ssfifppdo7xf8ec30mlrvm9bzxeavyrbuxbift-2fmw8bccazpclk-2fnpmtdx4-2bo0vclgvxthshtgpyc7eaooqv9s-2b2gyb6c8n7vkfndfc1fpgedd1rwrpxb5ob-2fl3xzemvfm4suu5mpbjarij-2fmomc-2fg3xqc2brhzckaaikzlqvuik-2fwz74-2fnarunjga0xtxn12rng-3d-3d/"; http_uri; depth:355; isdataat:!1,relative; content:"u5184431.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105056/; classtype:trojan-activity;sid:80968156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=50wzscr979siynfttur00wjo-2bnhhkeuxdhtyw0edyt4cdqgunuzn0egxhsdhhpoixfaedpti8jszts4gykso5qbk8gjdubbb2x8d006r2fk-3d_1dgnceythc-2bspxqlwomt9tydce94vly6ofybl9hokdssy0npa87wy6i6zeuobetpcbym9ncqisb2yvwsh35ciwwwzuolmsfbxo7nz6z-2fpjur0tp3hfv7-2bq44ntqnerby-2bf3233jiyotz9n5b7p9il9ht0f7tbjsxt2d6tjuavidq1vyqy9mbwx3h5uzbwswxb-2bvgpb-2ffosppv9uxnkyrtepzzxtjozsmhkcdwj-2b7pcy-3d/"; http_uri; depth:379; isdataat:!1,relative; content:"u5184431.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105055/; classtype:trojan-activity;sid:80968155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_information/01_19/"; http_uri; depth:37; isdataat:!1,relative; content:"womanhealer.co.za"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105054/; classtype:trojan-activity;sid:80968154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"ssmthethwa.co.za"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105053/; classtype:trojan-activity;sid:80968153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders_details/2019-01/"; http_uri; depth:34; isdataat:!1,relative; content:"web113.s152.goserver.host"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105052/; classtype:trojan-activity;sid:80968152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/googleanalytics/2"; http_uri; depth:37; isdataat:!1,relative; content:"sutherlandshireuav.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105051/; classtype:trojan-activity;sid:80968151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/googleanalytics/1"; http_uri; depth:37; isdataat:!1,relative; content:"sutherlandshireuav.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105050/; classtype:trojan-activity;sid:80968150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/google-sitemap-generator/3"; http_uri; depth:46; isdataat:!1,relative; content:"rmdy.ru"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105049/; classtype:trojan-activity;sid:80968149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/google-sitemap-generator/2"; http_uri; depth:46; isdataat:!1,relative; content:"rmdy.ru"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105048/; classtype:trojan-activity;sid:80968148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/google-sitemap-generator/1"; http_uri; depth:46; isdataat:!1,relative; content:"rmdy.ru"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105047/; classtype:trojan-activity;sid:80968147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/ubh/3"; http_uri; depth:25; isdataat:!1,relative; content:"jolange.com.au"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105046/; classtype:trojan-activity;sid:80968146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/ubh/2"; http_uri; depth:25; isdataat:!1,relative; content:"jolange.com.au"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105045/; classtype:trojan-activity;sid:80968145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/ubh/1"; http_uri; depth:25; isdataat:!1,relative; content:"jolange.com.au"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105044/; classtype:trojan-activity;sid:80968144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/search-everything/3"; http_uri; depth:39; isdataat:!1,relative; content:"bcrua.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105043/; classtype:trojan-activity;sid:80968143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/search-everything/2"; http_uri; depth:39; isdataat:!1,relative; content:"bcrua.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105042/; classtype:trojan-activity;sid:80968142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/search-everything/1"; http_uri; depth:39; isdataat:!1,relative; content:"bcrua.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105041/; classtype:trojan-activity;sid:80968141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/t4v4_lvalup08_foxatn/"; http_uri; depth:22; isdataat:!1,relative; content:"aplusglass-parebrise-anet.fr"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105040/; classtype:trojan-activity;sid:80968140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/geyz_l5du/"; http_uri; depth:11; isdataat:!1,relative; content:"plottermais.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105039/; classtype:trojan-activity;sid:80968139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d2gp7tj_xfpr2/"; http_uri; depth:15; isdataat:!1,relative; content:"www.ipbempreende.com.br"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105038/; classtype:trojan-activity;sid:80968138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8evxz_uvsd_4/"; http_uri; depth:14; isdataat:!1,relative; content:"pentick.space"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105037/; classtype:trojan-activity;sid:80968137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lcx6_wx2gkpuh/"; http_uri; depth:15; isdataat:!1,relative; content:"fleetstreetstudios.co.za"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105036/; classtype:trojan-activity;sid:80968136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/otldq-er_uxikaft-x1/ext/paymentstatus/en_us/service-invoice/"; http_uri; depth:61; isdataat:!1,relative; content:"sskymedia.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105034/; classtype:trojan-activity;sid:80968134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jvyx-hjyx_iesfak-3yl/paymentstatus/us_us/invoice/"; http_uri; depth:50; isdataat:!1,relative; content:"hauteloirebio.fr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105032/; classtype:trojan-activity;sid:80968132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dsypv-c4_efrjaluu-eu/comet/signs/payment/notification/01/17/2019/en_us/paid-invoice-credit-card-receipt/"; http_uri; depth:105; isdataat:!1,relative; content:"quentinberra.fr"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105033/; classtype:trojan-activity;sid:80968133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mefzy-r2eec_onxrmtno-lnb/en/outstanding-invoices/"; http_uri; depth:50; isdataat:!1,relative; content:"www.kolejskilmentari.edu.my"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105031/; classtype:trojan-activity;sid:80968131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/osll-q2jo_d-8pv/paymentstatus/us_us/paid-invoice-credit-card-receipt/"; http_uri; depth:70; isdataat:!1,relative; content:"csrcampaign.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105030/; classtype:trojan-activity;sid:80968130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xxdap/client/wordpress/amazon/en/orders_details/012019/"; http_uri; depth:56; isdataat:!1,relative; content:"www.paceforliving.co.uk"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105029/; classtype:trojan-activity;sid:80968129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/information/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"seitenstreifen.ch"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105028/; classtype:trojan-activity;sid:80968128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nrn3gdj89t5/runmedia.txt"; http_uri; depth:25; isdataat:!1,relative; content:"69.45.19.254"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105027/; classtype:trojan-activity;sid:80968127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iniihqqg/esetnod32.bin"; http_uri; depth:23; isdataat:!1,relative; content:"192.254.177.175"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105026/; classtype:trojan-activity;sid:80968126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/o11l9qub/mediatable.bin"; http_uri; depth:24; isdataat:!1,relative; content:"91.205.215.13"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105025/; classtype:trojan-activity;sid:80968125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eljox2c8/officeactivate.bin"; http_uri; depth:28; isdataat:!1,relative; content:"69.163.33.84"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105024/; classtype:trojan-activity;sid:80968124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/vmajgvudb5016066/rechnungs-docs/doc-dokument/"; http_uri; depth:57; isdataat:!1,relative; content:"ysoredy.cf"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105023/; classtype:trojan-activity;sid:80968123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qiue-gjrx_jkqqbzts-pg/j06/invoicing/us/invoice-69989281-january/"; http_uri; depth:65; isdataat:!1,relative; content:"www.zhktonline.ru"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105022/; classtype:trojan-activity;sid:80968122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cphe-bndyq_jbjwuhlfr-u5/en_en/document-needed/"; http_uri; depth:47; isdataat:!1,relative; content:"www.rosimpex.net"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105021/; classtype:trojan-activity;sid:80968121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/erqy-96sw_wh-hei/paymentstatus/us_us/invoices-attached/"; http_uri; depth:56; isdataat:!1,relative; content:"www.mandezik.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105020/; classtype:trojan-activity;sid:80968120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hpyl-cl3ex_dezh-knj/invoice/0796/overpayment/en_us/document-needed/"; http_uri; depth:68; isdataat:!1,relative; content:"www.droobedu.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105019/; classtype:trojan-activity;sid:80968119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ppcr-rb_qsls-e4/ach/paymentadvice/en/past-due-invoices/"; http_uri; depth:56; isdataat:!1,relative; content:"www.dplogistics.com.pl"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105018/; classtype:trojan-activity;sid:80968118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pbaih-uhv_howdfyoaw-vvk/87105/surveyquestionsen_en/invoice/"; http_uri; depth:60; isdataat:!1,relative; content:"sutesisatci.biz.tr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105017/; classtype:trojan-activity;sid:80968117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/esvd-xxlxf_pocoziz-3d/southwire/czr601587498/us/ach-form/"; http_uri; depth:58; isdataat:!1,relative; content:"ronasmarket.ir"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105016/; classtype:trojan-activity;sid:80968116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hzlat-fvcum_x-fy/us/invoice-receipt/"; http_uri; depth:37; isdataat:!1,relative; content:"robledodetorio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105015/; classtype:trojan-activity;sid:80968115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xqzl-wx4s_ywkmhhka-cf/invoice/08475966/en_us/inv-67164-po-0f526809/"; http_uri; depth:68; isdataat:!1,relative; content:"phytosweets101.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105014/; classtype:trojan-activity;sid:80968114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/whogi-cr2k_swjkc-ix/yt15/invoicing/us/invoice-number-57565/"; http_uri; depth:60; isdataat:!1,relative; content:"iplb.ir"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105013/; classtype:trojan-activity;sid:80968113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vmam-ux2_rjrpqj-d0/invoice/us_us/new-order/"; http_uri; depth:44; isdataat:!1,relative; content:"interierykosice.sk"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105012/; classtype:trojan-activity;sid:80968112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ynyje-7ly0_pvsoci-uy4/comet/signs/payment/notification/01/17/2019/us/outstanding-invoices/"; http_uri; depth:91; isdataat:!1,relative; content:"conceptrecords.ru"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105011/; classtype:trojan-activity;sid:80968111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pruh-cv4_ucnp-l1/b536/invoicing/us/need-to-send-the-attachment/"; http_uri; depth:64; isdataat:!1,relative; content:"caringrides.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105010/; classtype:trojan-activity;sid:80968110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/amazon/en/orders_details/012019/"; http_uri; depth:42; isdataat:!1,relative; content:"yxieludy.cf"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105009/; classtype:trojan-activity;sid:80968109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"ygiacurcumin.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105008/; classtype:trojan-activity;sid:80968108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"www.shems.capital"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105007/; classtype:trojan-activity;sid:80968107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"www.forodigitalpyme.es"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105006/; classtype:trojan-activity;sid:80968106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions/01_19/"; http_uri; depth:30; isdataat:!1,relative; content:"tsg-orbita.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105005/; classtype:trojan-activity;sid:80968105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders_details/01_19/"; http_uri; depth:32; isdataat:!1,relative; content:"science-house.ir"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105004/; classtype:trojan-activity;sid:80968104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_transactions/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"mange-gode-blogs.dk"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105003/; classtype:trojan-activity;sid:80968103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"edenbeach.eu"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105002/; classtype:trojan-activity;sid:80968102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"czystaswiadomosc-swiatloimilosc.pl"; http_host; depth:34; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105001/; classtype:trojan-activity;sid:80968101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"bellevega.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/105000/; classtype:trojan-activity;sid:80968100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/endy/endy.exe"; http_uri; depth:14; isdataat:!1,relative; content:"jesseworld.eu"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104999/; classtype:trojan-activity;sid:80968099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ejike/ejike.exe"; http_uri; depth:16; isdataat:!1,relative; content:"jesseworld.eu"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104998/; classtype:trojan-activity;sid:80968098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pro.exe"; http_uri; depth:8; isdataat:!1,relative; content:"107.172.3.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104997/; classtype:trojan-activity;sid:80968097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sites/default/files/jbkgiodo_uxnlb4d6_wix/"; http_uri; depth:43; isdataat:!1,relative; content:"shengen.ru"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104996/; classtype:trojan-activity;sid:80968096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/twk9bcyzz/"; http_uri; depth:11; isdataat:!1,relative; content:"teramed.com.co"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104995/; classtype:trojan-activity;sid:80968095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/template-parts/footer/ssj.jpg"; http_uri; depth:64; isdataat:!1,relative; content:"allaroundwm.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104993/; classtype:trojan-activity;sid:80968093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/ssj.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"construction.nucleus.odns.fr"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104994/; classtype:trojan-activity;sid:80968094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/ssj.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"explosederire.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104992/; classtype:trojan-activity;sid:80968092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/legacy/legacy.exe"; http_uri; depth:18; isdataat:!1,relative; content:"jesseworld.eu"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104991/; classtype:trojan-activity;sid:80968091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/showmoney/showmoney.exe"; http_uri; depth:24; isdataat:!1,relative; content:"jesseworld.eu"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104990/; classtype:trojan-activity;sid:80968090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/frankjoe/frankjoe.exe"; http_uri; depth:22; isdataat:!1,relative; content:"jesseworld.eu"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104989/; classtype:trojan-activity;sid:80968089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/sserv.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"construction.nucleus.odns.fr"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104988/; classtype:trojan-activity;sid:80968088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fbtaa-p8ng_oyzh-hxs/ach/paymentinfo/en_en/paid-invoices/"; http_uri; depth:57; isdataat:!1,relative; content:"newtechpharmaceuticals.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104987/; classtype:trojan-activity;sid:80968087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/aksuxy4373739/rechnungs/rech/"; http_uri; depth:36; isdataat:!1,relative; content:"www.grupocrecer.org"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104986/; classtype:trojan-activity;sid:80968086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jwml-mimj_zvsg-vdx/ext/paymentstatus/en_us/paid-invoice-credit-card-receipt/"; http_uri; depth:77; isdataat:!1,relative; content:"ali33vn.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104985/; classtype:trojan-activity;sid:80968085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cply-b0_hvfpmk-zuk/ach/paymentinfo/en_en/paid-invoice-credit-card-receipt/"; http_uri; depth:75; isdataat:!1,relative; content:"condosbysmdc.ph"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104984/; classtype:trojan-activity;sid:80968084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gyhl-dct9_ck-ob/us_us/open-invoices/"; http_uri; depth:37; isdataat:!1,relative; content:"armbuddy.co.za"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104983/; classtype:trojan-activity;sid:80968083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/rgvvpqx2802156/gescanntes-dokument/doc/"; http_uri; depth:43; isdataat:!1,relative; content:"www.modelgenesis.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104982/; classtype:trojan-activity;sid:80968082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/norh-xey_lrq-mby/inv/59453forpo/557261577316/us_us/new-order/"; http_uri; depth:62; isdataat:!1,relative; content:"0qixri.thule.su"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104981/; classtype:trojan-activity;sid:80968081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ewuzc-tconu_hkzn-eri/rw286/invoicing/en_en/paid-invoice/"; http_uri; depth:57; isdataat:!1,relative; content:"tanineahlebeyt.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104980/; classtype:trojan-activity;sid:80968080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/012019/"; http_uri; depth:32; isdataat:!1,relative; content:"slcip.org"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104979/; classtype:trojan-activity;sid:80968079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"www.capitalprivateasset.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104978/; classtype:trojan-activity;sid:80968078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/01_19/"; http_uri; depth:31; isdataat:!1,relative; content:"ccoweetf.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104977/; classtype:trojan-activity;sid:80968077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"kuvo.cl"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104976/; classtype:trojan-activity;sid:80968076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders_details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"lms-charity.co.uk"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104975/; classtype:trojan-activity;sid:80968075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=fx-2filfzr6cacyc-2fezuu5gmva5ppda6-2f4ypbdkg9keqxq2fy0wampq5dgitbvop3afldgljvc2q2y5qaakfzyaa-2flh3m-2bsaa1sx5tvc-2bgeuk=_x6nvgqsmdjtrz-2fi1lxxg5hbuoznkovuwmyscvjak64hpeuraqxv67u7vos-2belg3q-2fe2xh3xrqwxeemcsrgmxcsyijw45vbsezk0og9zdgxqq1opg32dnctbxbvotgh1d4mcxbzs4eyy0n0le2xihtuyyftcwvi8fboqemyweyzuzbomhvvessxj8sbgj4us5cq3hjbmqi199b4x8yc4iq89fzth2c2m5rpbzaiaeeqa=/"; http_uri; depth:377; isdataat:!1,relative; content:"u7648241.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104974/; classtype:trojan-activity;sid:80968074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders_details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"asmm.ro"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104973/; classtype:trojan-activity;sid:80968073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"houara.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104972/; classtype:trojan-activity;sid:80968072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments/01_19/"; http_uri; depth:23; isdataat:!1,relative; content:"pouya-sazane-parseh.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104971/; classtype:trojan-activity;sid:80968071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmp/amazon/en/clients_messages/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"hitechlink.com.vn"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104970/; classtype:trojan-activity;sid:80968070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"www.creationmakessense.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104969/; classtype:trojan-activity;sid:80968069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"maquinadefalaringles.info"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104968/; classtype:trojan-activity;sid:80968068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"www.prolevel.at"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104967/; classtype:trojan-activity;sid:80968067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"raliiletradings.co.za"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104966/; classtype:trojan-activity;sid:80968066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/122018/"; http_uri; depth:17; isdataat:!1,relative; content:"aquasalar.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104965/; classtype:trojan-activity;sid:80968065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://hjsanders.nl/transactions/2019-01|26|c=e,1,czs0n8uqwso1bxdyokrf7k5q-woqtsqdfjlprjzy40pt4lzof-xiwr-yg7fnvpk315knyxzrw_h1u5018bjwwwykc_pqc73rbdpb25ib|26|typo=1/"; http_uri; depth:171; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104964/; classtype:trojan-activity;sid:80968064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"bluewindservice.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104963/; classtype:trojan-activity;sid:80968063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/2019-01/"; http_uri; depth:27; isdataat:!1,relative; content:"tbssmartcenter.tn"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104962/; classtype:trojan-activity;sid:80968062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kjcgo-4x_yooprafa-oo/iqgz-39o_sx-wr8/invoice/06460/overpayment/en/invoice-for-a/b-01/17/2019/"; http_uri; depth:94; isdataat:!1,relative; content:"swanpark.dothidongsaigon.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104961/; classtype:trojan-activity;sid:80968061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/o.exe"; http_uri; depth:6; isdataat:!1,relative; content:"107.172.3.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104960/; classtype:trojan-activity;sid:80968060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/c.exe"; http_uri; depth:6; isdataat:!1,relative; content:"107.172.3.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104959/; classtype:trojan-activity;sid:80968059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/maxblog/inc/admin/css/sserv.jpg"; http_uri; depth:50; isdataat:!1,relative; content:"zambianstories.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104958/; classtype:trojan-activity;sid:80968058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/envo-magazine/lib/customizer/css/sserv.jpg"; http_uri; depth:61; isdataat:!1,relative; content:"tecnologiaz.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104957/; classtype:trojan-activity;sid:80968057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/genesis/lib/order.hta"; http_uri; depth:40; isdataat:!1,relative; content:"www.nzfoi.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104956/; classtype:trojan-activity;sid:80968056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/e.exe"; http_uri; depth:6; isdataat:!1,relative; content:"107.172.3.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104955/; classtype:trojan-activity;sid:80968055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/envo-magazine/languages/sserv.jpg"; http_uri; depth:52; isdataat:!1,relative; content:"tecnologiaz.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104954/; classtype:trojan-activity;sid:80968054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/envo-magazine/includes/widgets/sserv.jpg"; http_uri; depth:59; isdataat:!1,relative; content:"tecnologiaz.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104953/; classtype:trojan-activity;sid:80968053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/maxblog/inc/admin/css/ssj.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"zambianstories.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104952/; classtype:trojan-activity;sid:80968052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"everblessmultipurposecooperative.com"; http_host; depth:36; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104951/; classtype:trojan-activity;sid:80968051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/envo-magazine/template-parts/sserv.jpg"; http_uri; depth:57; isdataat:!1,relative; content:"tecnologiaz.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104950/; classtype:trojan-activity;sid:80968050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/envo-magazine/img/demo/sserv.jpg"; http_uri; depth:51; isdataat:!1,relative; content:"tecnologiaz.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104949/; classtype:trojan-activity;sid:80968049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/envo-magazine/languages/zinf.jpg"; http_uri; depth:51; isdataat:!1,relative; content:"tecnologiaz.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104948/; classtype:trojan-activity;sid:80968048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"glopart.qoiy.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104947/; classtype:trojan-activity;sid:80968047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"somov-igor.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104946/; classtype:trojan-activity;sid:80968046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"weddingstudio.com.my"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104945/; classtype:trojan-activity;sid:80968045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/amazon/clients_messages/01_19/"; http_uri; depth:50; isdataat:!1,relative; content:"mdmshipping.org"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104944/; classtype:trojan-activity;sid:80968044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"eliteseamless.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104943/; classtype:trojan-activity;sid:80968043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"ann141.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104942/; classtype:trojan-activity;sid:80968042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sserv.jpg"; http_uri; depth:10; isdataat:!1,relative; content:"agence.nucleus.odns.fr"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104941/; classtype:trojan-activity;sid:80968041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/chidon/chidon.exe"; http_uri; depth:18; isdataat:!1,relative; content:"jesseworld.eu"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104940/; classtype:trojan-activity;sid:80968040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/2018/"; http_uri; depth:16; isdataat:!1,relative; content:"ybbsshdy.cf"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104939/; classtype:trojan-activity;sid:80968039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/201812/"; http_uri; depth:19; isdataat:!1,relative; content:"test.good-gid.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104938/; classtype:trojan-activity;sid:80968038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/2018/"; http_uri; depth:15; isdataat:!1,relative; content:"catfish.by"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104937/; classtype:trojan-activity;sid:80968037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/ywjlcuyzj9767423/gescanntes-dokument/hilfestellung/"; http_uri; depth:58; isdataat:!1,relative; content:"www.pivmag02.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104936/; classtype:trojan-activity;sid:80968036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/nhnzyryqan0737838/gescanntes-dokument/details/"; http_uri; depth:58; isdataat:!1,relative; content:"www.hopeintlschool.org"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104935/; classtype:trojan-activity;sid:80968035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/cqcufktzj0270182/rechnung/zahlung/"; http_uri; depth:38; isdataat:!1,relative; content:"whitekhamovniki.ru"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104934/; classtype:trojan-activity;sid:80968034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/srrpfeyn0329359/de/rechnungsanschrift/"; http_uri; depth:45; isdataat:!1,relative; content:"kosarhaber.xyz"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104933/; classtype:trojan-activity;sid:80968033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/kghnnuren6892404/scan/doc/"; http_uri; depth:33; isdataat:!1,relative; content:"ibk.co.il"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104932/; classtype:trojan-activity;sid:80968032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/uhuwllx5420831/scan/hilfestellung/"; http_uri; depth:46; isdataat:!1,relative; content:"brahmakumaris.lt"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104931/; classtype:trojan-activity;sid:80968031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/de_de/fbshmtmm4901809/rechnungs-details/rechnung/"; http_uri; depth:61; isdataat:!1,relative; content:"bloggers.swarajyaawards.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104930/; classtype:trojan-activity;sid:80968030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/rpfbuaxai0474083/rechnungskorrektur/rechnung/"; http_uri; depth:52; isdataat:!1,relative; content:"ai-asia.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104929/; classtype:trojan-activity;sid:80968029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/n.exe"; http_uri; depth:6; isdataat:!1,relative; content:"107.172.3.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104928/; classtype:trojan-activity;sid:80968028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wrck6xgo9s/"; http_uri; depth:12; isdataat:!1,relative; content:"kynangtuhoc.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104927/; classtype:trojan-activity;sid:80968027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jw3mayrvk/"; http_uri; depth:11; isdataat:!1,relative; content:"adamallorca.org"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104926/; classtype:trojan-activity;sid:80968026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ryojj06p/"; http_uri; depth:10; isdataat:!1,relative; content:"buyhomecare.net"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104925/; classtype:trojan-activity;sid:80968025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pipk4ilrd/"; http_uri; depth:11; isdataat:!1,relative; content:"www.antique-carpets.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104924/; classtype:trojan-activity;sid:80968024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pbeu786/"; http_uri; depth:9; isdataat:!1,relative; content:"kosardoor.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104923/; classtype:trojan-activity;sid:80968023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_information/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"www.niteshagrico.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104922/; classtype:trojan-activity;sid:80968022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/2019-01/"; http_uri; depth:27; isdataat:!1,relative; content:"btrsecurity.co.uk"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104921/; classtype:trojan-activity;sid:80968021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/messages/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"www.pojbez31.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104920/; classtype:trojan-activity;sid:80968020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/amazon/en/payments_details/01_19/"; http_uri; depth:45; isdataat:!1,relative; content:"childminding.ie"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104919/; classtype:trojan-activity;sid:80968019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_transactions/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"jeturnbull.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104918/; classtype:trojan-activity;sid:80968018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"www.id14.good-gid.ru"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104917/; classtype:trojan-activity;sid:80968017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"id14.good-gid.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104916/; classtype:trojan-activity;sid:80968016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"blindzestates.co.uk"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104915/; classtype:trojan-activity;sid:80968015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/amazon/information/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"ytewporgdy.cf"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104914/; classtype:trojan-activity;sid:80968014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"yxchczdy.cf"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104913/; classtype:trojan-activity;sid:80968013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/amazon/orders_details/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"ldztmdy.cf"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104912/; classtype:trojan-activity;sid:80968012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/index"; http_uri; depth:6; isdataat:!1,relative; content:"fm.centeredinself.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104911/; classtype:trojan-activity;sid:80968011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/bulk/img/sserv.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"cccb-dz.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104910/; classtype:trojan-activity;sid:80968010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/smartshooterpro/functions/css/sserv.jpg"; http_uri; depth:58; isdataat:!1,relative; content:"wvaljssp.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104909/; classtype:trojan-activity;sid:80968009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/smartshooterpro/js/sserv.jpg"; http_uri; depth:47; isdataat:!1,relative; content:"wvaljssp.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104908/; classtype:trojan-activity;sid:80968008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/sserv.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"myphamhanbok.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104907/; classtype:trojan-activity;sid:80968007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/smartshooterpro/functions/css/ssj.jpg"; http_uri; depth:56; isdataat:!1,relative; content:"wvaljssp.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104906/; classtype:trojan-activity;sid:80968006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sites/default/files/jbkgiodo_uxnlb4d6_wix/"; http_uri; depth:43; isdataat:!1,relative; content:"www.shengen.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104905/; classtype:trojan-activity;sid:80968005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dfi5jgz_wjwyzgt/"; http_uri; depth:17; isdataat:!1,relative; content:"www.biometricsystems.ru"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104904/; classtype:trojan-activity;sid:80968004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iyqdsd_mviujo_jlyb/"; http_uri; depth:20; isdataat:!1,relative; content:"otkachka.novosibirsk.ru"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104903/; classtype:trojan-activity;sid:80968003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xzmpgnb_wymswenq_ugnzr/"; http_uri; depth:24; isdataat:!1,relative; content:"www.klussen-gids.nl"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104902/; classtype:trojan-activity;sid:80968002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/sserv.jpg"; http_uri; depth:26; isdataat:!1,relative; content:"myphamhanbok.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104901/; classtype:trojan-activity;sid:80968001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/smartshooterpro/css/button-image/sserv.jpg"; http_uri; depth:61; isdataat:!1,relative; content:"wvaljssp.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104900/; classtype:trojan-activity;sid:80968000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/bulk/img/ssj.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"cccb-dz.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104899/; classtype:trojan-activity;sid:80967999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/contact/txbfcqppiu3525240/ger/doc/"; http_uri; depth:35; isdataat:!1,relative; content:"indigo-office.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104898/; classtype:trojan-activity;sid:80967998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/nvbbhbk9881944/scan/form/"; http_uri; depth:37; isdataat:!1,relative; content:"yhricjpdy.cf"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104897/; classtype:trojan-activity;sid:80967997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kuhl.exe"; http_uri; depth:9; isdataat:!1,relative; content:"cloudresemblao.top"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104896/; classtype:trojan-activity;sid:80967996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/ssj.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"myphamhanbok.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104895/; classtype:trojan-activity;sid:80967995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/bulk/languages/ssj.jpg"; http_uri; depth:41; isdataat:!1,relative; content:"cccb-dz.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104894/; classtype:trojan-activity;sid:80967994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/smartshooterpro/js/ssj.jpg"; http_uri; depth:45; isdataat:!1,relative; content:"wvaljssp.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104893/; classtype:trojan-activity;sid:80967993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/piktam3u/"; http_uri; depth:10; isdataat:!1,relative; content:"awaken-hda.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104892/; classtype:trojan-activity;sid:80967992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zjrvnhdg/"; http_uri; depth:10; isdataat:!1,relative; content:"leblogdemimi.theophraste.net"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104891/; classtype:trojan-activity;sid:80967991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/g5hhloye3/"; http_uri; depth:11; isdataat:!1,relative; content:"mabruuk.ridvxn.site"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104890/; classtype:trojan-activity;sid:80967990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bnrouz3/"; http_uri; depth:9; isdataat:!1,relative; content:"staff.pelfberry.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104889/; classtype:trojan-activity;sid:80967989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lrbn7ad/"; http_uri; depth:9; isdataat:!1,relative; content:"deryaabiye.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104888/; classtype:trojan-activity;sid:80967988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/xlxpdrqboe9525605/bestellungen/rechnungszahlung/"; http_uri; depth:52; isdataat:!1,relative; content:"www.gazenap.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104887/; classtype:trojan-activity;sid:80967987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/atezsrmper2853602/rechnungs-details/hilfestellung/"; http_uri; depth:51; isdataat:!1,relative; content:"www.translampung.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104886/; classtype:trojan-activity;sid:80967986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/qsfeotayd0755259/de/rechnung/"; http_uri; depth:36; isdataat:!1,relative; content:"wiseon.by"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104885/; classtype:trojan-activity;sid:80967985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/de/ypuirits8096504/de/doc-dokument/"; http_uri; depth:47; isdataat:!1,relative; content:"komsima.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104884/; classtype:trojan-activity;sid:80967984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/thfzeyh8690665/rechnungs-details/rechnungszahlung/"; http_uri; depth:62; isdataat:!1,relative; content:"phase5.tppoffshore.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104883/; classtype:trojan-activity;sid:80967983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/bixnllywvf0213725/gescanntes-dokument/zahlung/"; http_uri; depth:58; isdataat:!1,relative; content:"turbineblog.ir"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104882/; classtype:trojan-activity;sid:80967982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/nzkyymm3444875/scan/rech/"; http_uri; depth:37; isdataat:!1,relative; content:"diederich.lu"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104881/; classtype:trojan-activity;sid:80967981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/blog/cache/sserv.jpg"; http_uri; depth:21; isdataat:!1,relative; content:"epifaniacr.net"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104880/; classtype:trojan-activity;sid:80967980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a/payload.exe"; http_uri; depth:14; isdataat:!1,relative; content:"eitchendie.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104879/; classtype:trojan-activity;sid:80967979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rasy.jpg"; http_uri; depth:9; isdataat:!1,relative; content:"epifaniacr.net"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104878/; classtype:trojan-activity;sid:80967978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/2018/"; http_uri; depth:16; isdataat:!1,relative; content:"allopizzanuit.fr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104877/; classtype:trojan-activity;sid:80967977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/rechnung/dez2018/"; http_uri; depth:37; isdataat:!1,relative; content:"aztel.ca"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104876/; classtype:trojan-activity;sid:80967976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/122018/"; http_uri; depth:20; isdataat:!1,relative; content:"detigsis.nichost.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104875/; classtype:trojan-activity;sid:80967975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/2018/"; http_uri; depth:18; isdataat:!1,relative; content:"fbroz.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104874/; classtype:trojan-activity;sid:80967974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/2018/"; http_uri; depth:18; isdataat:!1,relative; content:"mskala2.rise-up.nsk.ru"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104873/; classtype:trojan-activity;sid:80967973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/201812/"; http_uri; depth:20; isdataat:!1,relative; content:"agentfox.io"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104872/; classtype:trojan-activity;sid:80967972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/build/aps/transaktion/201812/"; http_uri; depth:30; isdataat:!1,relative; content:"crm.tigmagrue.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104871/; classtype:trojan-activity;sid:80967971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/daron/js/sserv.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"byasawritten.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104870/; classtype:trojan-activity;sid:80967970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/4.exe"; http_uri; depth:6; isdataat:!1,relative; content:"185.61.148.235"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104869/; classtype:trojan-activity;sid:80967969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3.exe"; http_uri; depth:6; isdataat:!1,relative; content:"185.61.148.235"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104868/; classtype:trojan-activity;sid:80967968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/5.exe"; http_uri; depth:6; isdataat:!1,relative; content:"185.61.148.235"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104867/; classtype:trojan-activity;sid:80967967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/daron/js/ssj.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"byasawritten.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104866/; classtype:trojan-activity;sid:80967966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/12f48b1a-a1ba-4ddc-9ace-310b1ec48f6b/downloads/0fd3ce0c-900e-4912-b597-e6cef4da5c8a/betabot.exesignature=i9tuuuhlqmbaxjdlkoeocmgzlvy%3d|26|expires=1547725023|26|awsaccesskeyid=akiaiqwxw6wlxmb5qzaq|26|versionid=zy1sclxaqim2ew3czywo7wvkpxo3vpjc|26|response-content-disposition=attachment%3b%20filename%3d%22betabot.exe%22"; http_uri; depth:320; isdataat:!1,relative; content:"bbuseruploads.s3.amazonaws.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104865/; classtype:trojan-activity;sid:80967965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/12f48b1a-a1ba-4ddc-9ace-310b1ec48f6b/downloads/03de62a0-c933-4763-af45-f76b1274447b/azor_kas.exesignature=0v074hpzfjunmlojewhvwzr4u0y%3d|26|expires=1547724682|26|awsaccesskeyid=akiaiqwxw6wlxmb5qzaq|26|versionid=sxvqsqw8ikd.ie5_kiuddmramwlpmbkb|26|response-content-disposition=attachment%3b%20filename%3d%22azor_kas.exe%22"; http_uri; depth:322; isdataat:!1,relative; content:"bbuseruploads.s3.amazonaws.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104864/; classtype:trojan-activity;sid:80967964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/12f48b1a-a1ba-4ddc-9ace-310b1ec48f6b/downloads/a88d5da4-e34f-49d9-9c8f-f1576e65844b/bin.exesignature=ilbhrxqfodu36rc7xziy5s9vtto%3d|26|expires=1547724674|26|awsaccesskeyid=akiaiqwxw6wlxmb5qzaq|26|versionid=ygednlr3gkvc9bkfrgrsowc8pfk.awza|26|response-content-disposition=attachment%3b%20filename%3d%22bin.exe%22"; http_uri; depth:312; isdataat:!1,relative; content:"bbuseruploads.s3.amazonaws.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104863/; classtype:trojan-activity;sid:80967963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/12f48b1a-a1ba-4ddc-9ace-310b1ec48f6b/downloads/2b4f3b85-258c-482c-88e8-12a7f4393f7e/arkei.exesignature=oxv6voek8nuc3psrznyf%2fahpz4a%3d|26|expires=1547724697|26|awsaccesskeyid=akiaiqwxw6wlxmb5qzaq|26|versionid=nniqfgh.ruosq3_jotmvxofr529yotxy|26|response-content-disposition=attachment%3b%20filename%3d%22arkei.exe%22"; http_uri; depth:318; isdataat:!1,relative; content:"bbuseruploads.s3.amazonaws.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104862/; classtype:trojan-activity;sid:80967962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/12f48b1a-a1ba-4ddc-9ace-310b1ec48f6b/downloads/2f71745e-cf35-4d37-9c46-491056252daa/delclipper.exesignature=hzebvxodvvyu4rm9uvpvuy04hfa%3d|26|expires=1547724693|26|awsaccesskeyid=akiaiqwxw6wlxmb5qzaq|26|versionid=fxdc.xe9gwz46hznysojohhoxavurhf0|26|response-content-disposition=attachment%3b%20filename%3d%22delclipper.exe%22"; http_uri; depth:326; isdataat:!1,relative; content:"bbuseruploads.s3.amazonaws.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104861/; classtype:trojan-activity;sid:80967961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/12f48b1a-a1ba-4ddc-9ace-310b1ec48f6b/downloads/6f563873-15ee-468a-963c-db55a58d3c9c/betabotkas.exesignature=gdqnralwhveftqtdsri62lt6n4a%3d|26|expires=1547724678|26|awsaccesskeyid=akiaiqwxw6wlxmb5qzaq|26|versionid=htnbcwgf1x8g66tof0fdmfcvqntq8j6s|26|response-content-disposition=attachment%3b%20filename%3d%22betabotkas.exe%22"; http_uri; depth:326; isdataat:!1,relative; content:"bbuseruploads.s3.amazonaws.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104860/; classtype:trojan-activity;sid:80967960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/studioisolabella/html/com_content/article/sserv.jpg"; http_uri; depth:62; isdataat:!1,relative; content:"studioisolabella.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104859/; classtype:trojan-activity;sid:80967959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/mod_ariimageslidersa/ssj.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"megahaliyikama.net"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104858/; classtype:trojan-activity;sid:80967958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/sqakkawhl9759904/gescanntes-dokument/doc-dokument/"; http_uri; depth:57; isdataat:!1,relative; content:"arneck-rescue.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104857/; classtype:trojan-activity;sid:80967957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/xlaqvve1218218/rechnungs-details/doc-dokument/"; http_uri; depth:53; isdataat:!1,relative; content:"www.zsz-spb.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104856/; classtype:trojan-activity;sid:80967956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/pjjkbngpl4179974/rechnungs/rech/"; http_uri; depth:44; isdataat:!1,relative; content:"uborka-snega.spectehnika.novosibirsk.ru"; http_host; depth:39; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104855/; classtype:trojan-activity;sid:80967955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/anxo-vx_zxbkbthko-ib/southwire/jij98549938/en_us/0-past-due-invoices/"; http_uri; depth:70; isdataat:!1,relative; content:"shantiniketangranthalay.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104854/; classtype:trojan-activity;sid:80967954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/bzghgbyn0416596/rechnung/rech/"; http_uri; depth:42; isdataat:!1,relative; content:"www.jenfu.net"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104853/; classtype:trojan-activity;sid:80967953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/yorlxcgrt7399568/de_de/rechnung/"; http_uri; depth:39; isdataat:!1,relative; content:"northernmineral.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104852/; classtype:trojan-activity;sid:80967952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/mzkepjmqub4331974/de_de/details/"; http_uri; depth:36; isdataat:!1,relative; content:"vaytiencaptoc.info"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104851/; classtype:trojan-activity;sid:80967951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/sujjfuxmn8979704/ger/rechnung/"; http_uri; depth:37; isdataat:!1,relative; content:"www.rent2buyproperties.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104850/; classtype:trojan-activity;sid:80967950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/nmrvhbt6753348/rechnungs-details/rech/"; http_uri; depth:45; isdataat:!1,relative; content:"realaser.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104849/; classtype:trojan-activity;sid:80967949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/aueankcvdr7541948/rechnung/zahlung/"; http_uri; depth:42; isdataat:!1,relative; content:"www.mir-krovli62.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104848/; classtype:trojan-activity;sid:80967948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/axfytnvc5943928/rechnungskorrektur/details/"; http_uri; depth:55; isdataat:!1,relative; content:"salonrocket.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104847/; classtype:trojan-activity;sid:80967947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/upgrade/de_de/tlcdxburhx7279875/de/rechnung/"; http_uri; depth:56; isdataat:!1,relative; content:"mhnew.enabledware.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104846/; classtype:trojan-activity;sid:80967946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mnmoaejvcr8072449/rechnungs/details/"; http_uri; depth:37; isdataat:!1,relative; content:"skylife.vn"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104845/; classtype:trojan-activity;sid:80967945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/erfwnk4331717/rechnung/rechnung/"; http_uri; depth:39; isdataat:!1,relative; content:"iuphilippines.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104844/; classtype:trojan-activity;sid:80967944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/stdadi7333419/rechnungs/fakturierung/"; http_uri; depth:41; isdataat:!1,relative; content:"sandau.biz"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104843/; classtype:trojan-activity;sid:80967943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/qfuxyemg9304256/rechnungs-docs/rechnungsanschrift/"; http_uri; depth:57; isdataat:!1,relative; content:"www.salonbellasa.sk"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104842/; classtype:trojan-activity;sid:80967942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mh-magazine-lite/js/ssj.jpg"; http_uri; depth:46; isdataat:!1,relative; content:"drwava.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104841/; classtype:trojan-activity;sid:80967941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docs/cache/0b632ea269f5847062dd887187209838/http://www.louiseyclarke.com/docs/j1a6bh.php16a8ee=paid-dating-sites-in-usa"; http_uri; depth:120; isdataat:!1,relative; content:"louiseyclarke.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104840/; classtype:trojan-activity;sid:80967940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/12f48b1a-a1ba-4ddc-9ace-310b1ec48f6b/downloads/a82aea2f-d076-4e1d-8fcb-8b79898a85be/kas919.exesignature=8gqnlnixtn40dyz9kpkxenncni0%3d|26|expires=1547725024|26|awsaccesskeyid=akiaiqwxw6wlxmb5qzaq|26|versionid=ft24jaolcop3da_7_ev5xcguooyhq0mq|26|response-content-disposition=attachment%3b%20filename%3d%22kas919.exe%22"; http_uri; depth:318; isdataat:!1,relative; content:"bbuseruploads.s3.amazonaws.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104839/; classtype:trojan-activity;sid:80967939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/rechnungen/2018/"; http_uri; depth:27; isdataat:!1,relative; content:"toetjesfee.insol.be"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104838/; classtype:trojan-activity;sid:80967938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/rechnungen/122018/"; http_uri; depth:28; isdataat:!1,relative; content:"viettelbaoloc.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104837/; classtype:trojan-activity;sid:80967937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mh-magazine-lite/js/sserv.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"drwava.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104836/; classtype:trojan-activity;sid:80967936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/studioisolabella/fonts/sserv.jpg"; http_uri; depth:43; isdataat:!1,relative; content:"studioisolabella.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104835/; classtype:trojan-activity;sid:80967935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mh-magazine-lite/includes/widgets/ssj.jpg"; http_uri; depth:60; isdataat:!1,relative; content:"drwava.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104834/; classtype:trojan-activity;sid:80967934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/studioisolabella/html/com_content/article/ssj.jpg"; http_uri; depth:60; isdataat:!1,relative; content:"studioisolabella.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104833/; classtype:trojan-activity;sid:80967933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docs/cache/ssj.jpg"; http_uri; depth:19; isdataat:!1,relative; content:"louiseyclarke.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104832/; classtype:trojan-activity;sid:80967932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/iconic-one-pro/js/ssj.jpg"; http_uri; depth:44; isdataat:!1,relative; content:"hotelus.xyz"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104831/; classtype:trojan-activity;sid:80967931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentynineteen/template-parts/content/ssj.jpg"; http_uri; depth:64; isdataat:!1,relative; content:"storetoscore.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104830/; classtype:trojan-activity;sid:80967930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/ssj.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"menderesbalabankirdugunsalonu.com"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104829/; classtype:trojan-activity;sid:80967929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/css/colors/blue/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"bhplazatravel.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104828/; classtype:trojan-activity;sid:80967928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/divi/core/admin/css/ssj.jpg"; http_uri; depth:46; isdataat:!1,relative; content:"greencoach.life"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104827/; classtype:trojan-activity;sid:80967927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/ai1wm-backups/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"eminyhr.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104826/; classtype:trojan-activity;sid:80967926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/template-parts/footer/ssj.jpg"; http_uri; depth:64; isdataat:!1,relative; content:"miceeventsint.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104825/; classtype:trojan-activity;sid:80967925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/arkei.exe"; http_uri; depth:36; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104824/; classtype:trojan-activity;sid:80967924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/delclipper.exe"; http_uri; depth:41; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104823/; classtype:trojan-activity;sid:80967923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/kas919.exe"; http_uri; depth:37; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104822/; classtype:trojan-activity;sid:80967922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/betabot.exe"; http_uri; depth:38; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104821/; classtype:trojan-activity;sid:80967921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/azor_kas.exe"; http_uri; depth:39; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104820/; classtype:trojan-activity;sid:80967920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/betabotkas.exe"; http_uri; depth:41; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104819/; classtype:trojan-activity;sid:80967919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/bin.exe"; http_uri; depth:34; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104818/; classtype:trojan-activity;sid:80967918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/arkk.exe"; http_uri; depth:35; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104817/; classtype:trojan-activity;sid:80967917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kas919/supische/downloads/hvnc.exe"; http_uri; depth:35; isdataat:!1,relative; content:"bitbucket.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104816/; classtype:trojan-activity;sid:80967916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/plugins/actionlog/advancedmodules/language/en-gb/ssj.jpg"; http_uri; depth:57; isdataat:!1,relative; content:"megahaliyikama.net"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104815/; classtype:trojan-activity;sid:80967915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/kentha/woocommerce-helpers/ssj.jpg"; http_uri; depth:53; isdataat:!1,relative; content:"theroarradio.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104814/; classtype:trojan-activity;sid:80967914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/mh-magazine-lite/js/ssj.jpg"; http_uri; depth:46; isdataat:!1,relative; content:"jobssa.org"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104813/; classtype:trojan-activity;sid:80967913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/chiz/option.exe"; http_uri; depth:16; isdataat:!1,relative; content:"bellstonehitech.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104812/; classtype:trojan-activity;sid:80967912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/img/joibr.jpg"; http_uri; depth:14; isdataat:!1,relative; content:"nextserv.pl"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104810/; classtype:trojan-activity;sid:80967910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/img/jswp.jpg"; http_uri; depth:13; isdataat:!1,relative; content:"nextserv.pl"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104811/; classtype:trojan-activity;sid:80967911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bcabyiw/"; http_uri; depth:9; isdataat:!1,relative; content:"www.divametalart.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104809/; classtype:trojan-activity;sid:80967909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eh7gvcp01x/"; http_uri; depth:12; isdataat:!1,relative; content:"fiscaldopovo.online"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104808/; classtype:trojan-activity;sid:80967908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/t9ez9ax/"; http_uri; depth:9; isdataat:!1,relative; content:"seedsofhope.wtmserver.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104807/; classtype:trojan-activity;sid:80967907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/oyqcjeyrp/"; http_uri; depth:11; isdataat:!1,relative; content:"kleveremart.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104806/; classtype:trojan-activity;sid:80967906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9poqela/"; http_uri; depth:9; isdataat:!1,relative; content:"usmlemasters.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104805/; classtype:trojan-activity;sid:80967905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/img/liwx.jpg"; http_uri; depth:13; isdataat:!1,relative; content:"nextserv.pl"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104804/; classtype:trojan-activity;sid:80967904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/dez2018/"; http_uri; depth:21; isdataat:!1,relative; content:"www.srooooiva.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104803/; classtype:trojan-activity;sid:80967903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/201812/"; http_uri; depth:19; isdataat:!1,relative; content:"eminencewomensforum.org"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104802/; classtype:trojan-activity;sid:80967902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/dez2018/"; http_uri; depth:21; isdataat:!1,relative; content:"xn--90aeb9ae9a.xn--p1ai"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104801/; classtype:trojan-activity;sid:80967901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"trottmyworld.ch"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104800/; classtype:trojan-activity;sid:80967900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/201812/"; http_uri; depth:20; isdataat:!1,relative; content:"www.euk.lt"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104799/; classtype:trojan-activity;sid:80967899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/2018/"; http_uri; depth:15; isdataat:!1,relative; content:"www.kamprotect.ru"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104798/; classtype:trojan-activity;sid:80967898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/201812/"; http_uri; depth:18; isdataat:!1,relative; content:"antoine-maubon.fr"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104797/; classtype:trojan-activity;sid:80967897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/don12089.hta"; http_uri; depth:18; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104796/; classtype:trojan-activity;sid:80967896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/temp/tuferwt.exe"; http_uri; depth:17; isdataat:!1,relative; content:"mithramdirectory.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104795/; classtype:trojan-activity;sid:80967895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/sserv.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"k-investigations.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104794/; classtype:trojan-activity;sid:80967894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"92.63.197.153"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104793/; classtype:trojan-activity;sid:80967893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jubajeo.exe"; http_uri; depth:12; isdataat:!1,relative; content:"froidfond-stejeannedarc.fr"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104792/; classtype:trojan-activity;sid:80967892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/ssj.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"tracker-activite.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104791/; classtype:trojan-activity;sid:80967891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/ai1wm-backups/ssj.jpg"; http_uri; depth:33; isdataat:!1,relative; content:"happysunfellbach.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104790/; classtype:trojan-activity;sid:80967890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/hotel-luxury/template-parts/ssj.jpg"; http_uri; depth:54; isdataat:!1,relative; content:"okroi.net"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104789/; classtype:trojan-activity;sid:80967889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/sketch/sptr.exe"; http_uri; depth:34; isdataat:!1,relative; content:"advavoltiberica.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104788/; classtype:trojan-activity;sid:80967888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/ssj.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"pluie-d-etoiles.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104787/; classtype:trojan-activity;sid:80967887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/s/1.exe"; http_uri; depth:8; isdataat:!1,relative; content:"92.63.197.153"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104786/; classtype:trojan-activity;sid:80967886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mcdonalds.exe"; http_uri; depth:14; isdataat:!1,relative; content:"92.63.197.153"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104785/; classtype:trojan-activity;sid:80967885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/omdamb0840381/scan/rechnungszahlung"; http_uri; depth:47; isdataat:!1,relative; content:"www.bbhdata.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104784/; classtype:trojan-activity;sid:80967884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.x86"; http_uri; depth:14; isdataat:!1,relative; content:"104.168.132.46"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104783/; classtype:trojan-activity;sid:80967883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/css/msgyoungboss.exe"; http_uri; depth:21; isdataat:!1,relative; content:"gulfexpresshome.co"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104782/; classtype:trojan-activity;sid:80967882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/americanpetit.exe"; http_uri; depth:24; isdataat:!1,relative; content:"gulfexpresshome.co"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104781/; classtype:trojan-activity;sid:80967881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cted.exe"; http_uri; depth:9; isdataat:!1,relative; content:"www.beautymakeup.ca"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104780/; classtype:trojan-activity;sid:80967880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vbss.hta"; http_uri; depth:9; isdataat:!1,relative; content:"www.beautymakeup.ca"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104779/; classtype:trojan-activity;sid:80967879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/650890977.exe"; http_uri; depth:19; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104778/; classtype:trojan-activity;sid:80967878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/sketch/css/l/dom.msi"; http_uri; depth:39; isdataat:!1,relative; content:"www.mensajerosatiempo.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104777/; classtype:trojan-activity;sid:80967877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/sketch/css/l/baba.msi"; http_uri; depth:40; isdataat:!1,relative; content:"www.mensajerosatiempo.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104776/; classtype:trojan-activity;sid:80967876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/01/807113850.jpg"; http_uri; depth:17; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104775/; classtype:trojan-activity;sid:80967875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/mammez_output5092460.exe"; http_uri; depth:30; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104774/; classtype:trojan-activity;sid:80967874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ob1/fdts00674978_order_17012019.exe"; http_uri; depth:36; isdataat:!1,relative; content:"mmaisok.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104773/; classtype:trojan-activity;sid:80967873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"185.61.148.235"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104772/; classtype:trojan-activity;sid:80967872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/store/catsrvut.exe"; http_uri; depth:26; isdataat:!1,relative; content:"185.193.115.228"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104771/; classtype:trojan-activity;sid:80967871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/sketch/css/l/word.doc"; http_uri; depth:40; isdataat:!1,relative; content:"www.mensajerosatiempo.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104770/; classtype:trojan-activity;sid:80967870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/css/ablegodshowerurblessing.exe"; http_uri; depth:32; isdataat:!1,relative; content:"gulfexpresshome.co"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104769/; classtype:trojan-activity;sid:80967869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nut"; http_uri; depth:4; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104768/; classtype:trojan-activity;sid:80967868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104767/; classtype:trojan-activity;sid:80967867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104766/; classtype:trojan-activity;sid:80967866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104765/; classtype:trojan-activity;sid:80967865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mips"; http_uri; depth:12; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104764/; classtype:trojan-activity;sid:80967864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.mips"; http_uri; depth:19; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104763/; classtype:trojan-activity;sid:80967863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.arm5"; http_uri; depth:19; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104762/; classtype:trojan-activity;sid:80967862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104761/; classtype:trojan-activity;sid:80967861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.x86"; http_uri; depth:18; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104760/; classtype:trojan-activity;sid:80967860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/armv5l"; http_uri; depth:16; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104759/; classtype:trojan-activity;sid:80967859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/powerpc"; http_uri; depth:17; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104758/; classtype:trojan-activity;sid:80967858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104757/; classtype:trojan-activity;sid:80967857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.i586"; http_uri; depth:12; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104756/; classtype:trojan-activity;sid:80967856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104755/; classtype:trojan-activity;sid:80967855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104754/; classtype:trojan-activity;sid:80967854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.mpsl"; http_uri; depth:19; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104753/; classtype:trojan-activity;sid:80967853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/armv4tl"; http_uri; depth:17; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104752/; classtype:trojan-activity;sid:80967852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ob2/payment_advice_dbs00975.exe"; http_uri; depth:32; isdataat:!1,relative; content:"mmaisok.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104751/; classtype:trojan-activity;sid:80967851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/js/widgets/pay.hta"; http_uri; depth:28; isdataat:!1,relative; content:"www.nzfoi.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104750/; classtype:trojan-activity;sid:80967850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/armv6l"; http_uri; depth:16; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104749/; classtype:trojan-activity;sid:80967849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104748/; classtype:trojan-activity;sid:80967848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104747/; classtype:trojan-activity;sid:80967847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.x86"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104746/; classtype:trojan-activity;sid:80967846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104745/; classtype:trojan-activity;sid:80967845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104744/; classtype:trojan-activity;sid:80967844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104743/; classtype:trojan-activity;sid:80967843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104742/; classtype:trojan-activity;sid:80967842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.ppc"; http_uri; depth:18; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104741/; classtype:trojan-activity;sid:80967841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104740/; classtype:trojan-activity;sid:80967840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104739/; classtype:trojan-activity;sid:80967839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/x86_64"; http_uri; depth:16; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104738/; classtype:trojan-activity;sid:80967838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x86"; http_uri; depth:11; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104737/; classtype:trojan-activity;sid:80967837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/mips"; http_uri; depth:14; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104736/; classtype:trojan-activity;sid:80967836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.arm7"; http_uri; depth:19; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104735/; classtype:trojan-activity;sid:80967835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/powerpc440fp"; http_uri; depth:22; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104734/; classtype:trojan-activity;sid:80967834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.sh4"; http_uri; depth:18; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104733/; classtype:trojan-activity;sid:80967833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.mips"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104732/; classtype:trojan-activity;sid:80967832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tftp"; http_uri; depth:5; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104731/; classtype:trojan-activity;sid:80967831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104730/; classtype:trojan-activity;sid:80967830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104729/; classtype:trojan-activity;sid:80967829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/armv4l"; http_uri; depth:16; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104728/; classtype:trojan-activity;sid:80967828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104727/; classtype:trojan-activity;sid:80967827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104726/; classtype:trojan-activity;sid:80967826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104725/; classtype:trojan-activity;sid:80967825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"157.230.80.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104724/; classtype:trojan-activity;sid:80967824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104723/; classtype:trojan-activity;sid:80967823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/watchdog"; http_uri; depth:9; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104722/; classtype:trojan-activity;sid:80967822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mpsl"; http_uri; depth:12; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104721/; classtype:trojan-activity;sid:80967821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.arm6"; http_uri; depth:19; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104720/; classtype:trojan-activity;sid:80967820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.arm"; http_uri; depth:18; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104719/; classtype:trojan-activity;sid:80967819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/67710039.exe"; http_uri; depth:18; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104718/; classtype:trojan-activity;sid:80967818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bidtfb.hta"; http_uri; depth:11; isdataat:!1,relative; content:"a.uchi.moe"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104717/; classtype:trojan-activity;sid:80967817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/podmlrtcuw7550065/rechnungs/rech/"; http_uri; depth:40; isdataat:!1,relative; content:"www.lineageforum.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104716/; classtype:trojan-activity;sid:80967816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/01_19/"; http_uri; depth:25; isdataat:!1,relative; content:"fieldscollege.co.za"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104715/; classtype:trojan-activity;sid:80967815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/fycxhtdb3652329/gescanntes-dokument/doc-dokument/"; http_uri; depth:56; isdataat:!1,relative; content:"www.muzikgunlugu.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104714/; classtype:trojan-activity;sid:80967814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"eetstoelbaby.koffie-bekers.nl"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104713/; classtype:trojan-activity;sid:80967813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apzst-9mdhw_cx-ju/invoices/79588/11360/us_us/document-needed/"; http_uri; depth:62; isdataat:!1,relative; content:"ray-beta.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104712/; classtype:trojan-activity;sid:80967812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"www.us-trans.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104709/; classtype:trojan-activity;sid:80967809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/czduuype0757395/rechnungs/fakturierung/"; http_uri; depth:43; isdataat:!1,relative; content:"fungryfood.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104697/; classtype:trojan-activity;sid:80967797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kqry-eeq_c-ci/ach/paymentadvice/en/invoices-attached/"; http_uri; depth:54; isdataat:!1,relative; content:"rentalagreement.aartimkarande.in"; http_host; depth:32; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104696/; classtype:trojan-activity;sid:80967796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arxfhcfhpj6673068/bestellungen/doc/"; http_uri; depth:36; isdataat:!1,relative; content:"wikiprojet.fr"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104695/; classtype:trojan-activity;sid:80967795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/liivo-gn_k-mtw/invoices/83990/9270/en_en/past-due-invoice/"; http_uri; depth:59; isdataat:!1,relative; content:"modern-autoparts.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104693/; classtype:trojan-activity;sid:80967793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/iprxqnxppm4929999/de/doc/"; http_uri; depth:32; isdataat:!1,relative; content:"www.clubdirectors.tv"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104690/; classtype:trojan-activity;sid:80967790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/rnyoseb6954540/dokumente/doc/"; http_uri; depth:41; isdataat:!1,relative; content:"www.webbs.cl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104689/; classtype:trojan-activity;sid:80967789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/site/cache/ajax_login_form/qony-f1_myeyk-dvz/xc09/invoicing/en_us/outstanding-invoices/"; http_uri; depth:88; isdataat:!1,relative; content:"megatramtg.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104688/; classtype:trojan-activity;sid:80967788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lufke-b4_fxmjudihv-viu/ref/393742266us/invoice-38700138-january/"; http_uri; depth:65; isdataat:!1,relative; content:"www.bauburo.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104687/; classtype:trojan-activity;sid:80967787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/dcfydkpt8398668/gescanntes-dokument/form/"; http_uri; depth:45; isdataat:!1,relative; content:"www.eurolinecars.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104681/; classtype:trojan-activity;sid:80967781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"dhgl.vn"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104679/; classtype:trojan-activity;sid:80967779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/wtkmmb3205155/rechnung/zahlungserinnerung/"; http_uri; depth:49; isdataat:!1,relative; content:"morozan.it"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104678/; classtype:trojan-activity;sid:80967778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/85102031.exe"; http_uri; depth:18; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104677/; classtype:trojan-activity;sid:80967777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/cy4509report.hta"; http_uri; depth:22; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104676/; classtype:trojan-activity;sid:80967776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a/catsrvuts.exe"; http_uri; depth:16; isdataat:!1,relative; content:"eitchendie.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104675/; classtype:trojan-activity;sid:80967775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/store/zul.exe"; http_uri; depth:21; isdataat:!1,relative; content:"185.193.115.228"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104674/; classtype:trojan-activity;sid:80967774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/sparc"; http_uri; depth:15; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104673/; classtype:trojan-activity;sid:80967773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/i486"; http_uri; depth:14; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104672/; classtype:trojan-activity;sid:80967772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/i586"; http_uri; depth:14; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104671/; classtype:trojan-activity;sid:80967771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104670/; classtype:trojan-activity;sid:80967770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/mips64"; http_uri; depth:16; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104669/; classtype:trojan-activity;sid:80967769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104668/; classtype:trojan-activity;sid:80967768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ss.gif"; http_uri; depth:7; isdataat:!1,relative; content:"185.61.148.235"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104667/; classtype:trojan-activity;sid:80967767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/v.jpg"; http_uri; depth:6; isdataat:!1,relative; content:"185.61.148.235"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104666/; classtype:trojan-activity;sid:80967766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104665/; classtype:trojan-activity;sid:80967765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/i686"; http_uri; depth:14; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104664/; classtype:trojan-activity;sid:80967764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.147.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104663/; classtype:trojan-activity;sid:80967763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104662/; classtype:trojan-activity;sid:80967762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104660/; classtype:trojan-activity;sid:80967760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104661/; classtype:trojan-activity;sid:80967761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/sh4"; http_uri; depth:13; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104659/; classtype:trojan-activity;sid:80967759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"193.37.214.15"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104658/; classtype:trojan-activity;sid:80967758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/mipsel"; http_uri; depth:16; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104657/; classtype:trojan-activity;sid:80967757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/armv4eb"; http_uri; depth:17; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104656/; classtype:trojan-activity;sid:80967756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/armv7l"; http_uri; depth:16; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104655/; classtype:trojan-activity;sid:80967755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.systemd/m68k"; http_uri; depth:14; isdataat:!1,relative; content:"64.62.250.41"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104654/; classtype:trojan-activity;sid:80967754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.m68k"; http_uri; depth:19; isdataat:!1,relative; content:"205.185.120.227"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104653/; classtype:trojan-activity;sid:80967753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x32"; http_uri; depth:11; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104652/; classtype:trojan-activity;sid:80967752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"217.61.112.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104651/; classtype:trojan-activity;sid:80967751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tesat.hta"; http_uri; depth:10; isdataat:!1,relative; content:"www.beautymakeup.ca"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104650/; classtype:trojan-activity;sid:80967750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/sketch/css/l/qkrttr.msi"; http_uri; depth:42; isdataat:!1,relative; content:"www.mensajerosatiempo.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104649/; classtype:trojan-activity;sid:80967749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/home/doc211.exe"; http_uri; depth:16; isdataat:!1,relative; content:"ongac.org"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104648/; classtype:trojan-activity;sid:80967748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/069p_jsydbkmkz_r4uuahza/"; http_uri; depth:25; isdataat:!1,relative; content:"jauniejizalieji.lt"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104647/; classtype:trojan-activity;sid:80967747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xvfjwvvk_xu1ei_xgrv5il2e/"; http_uri; depth:26; isdataat:!1,relative; content:"copsnailsanddrinks.fr"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104646/; classtype:trojan-activity;sid:80967746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lavlc_pbfscn2u/"; http_uri; depth:16; isdataat:!1,relative; content:"xdr1.worldcupdeals.net"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104645/; classtype:trojan-activity;sid:80967745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1isd7z8y_h1ocq_hmfw4vh7l/"; http_uri; depth:26; isdataat:!1,relative; content:"baskanligagidenyol.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104644/; classtype:trojan-activity;sid:80967744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nzdok_demj9_tu/"; http_uri; depth:16; isdataat:!1,relative; content:"highclass-store.co"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104643/; classtype:trojan-activity;sid:80967743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/fwwbxsdy5884914/de/details/"; http_uri; depth:34; isdataat:!1,relative; content:"healthtech.tn"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104642/; classtype:trojan-activity;sid:80967742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/qtubnjma0319791/rechnungs-details/rechnung/"; http_uri; depth:55; isdataat:!1,relative; content:"pnneuroeducacao.pt"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104641/; classtype:trojan-activity;sid:80967741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/epug-k85sr_yytaflr-wb1/ext/paymentstatus/en_en/sales-invoice/"; http_uri; depth:62; isdataat:!1,relative; content:"www.akblog.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104640/; classtype:trojan-activity;sid:80967740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yw50qrlha/"; http_uri; depth:11; isdataat:!1,relative; content:"tral24.su"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104639/; classtype:trojan-activity;sid:80967739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/v4h00iq9w/"; http_uri; depth:11; isdataat:!1,relative; content:"xyzfilamenten.nl"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104638/; classtype:trojan-activity;sid:80967738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/twk9bcyzz/"; http_uri; depth:11; isdataat:!1,relative; content:"www.teramed.com.co"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104637/; classtype:trojan-activity;sid:80967737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/u3l2amznme/"; http_uri; depth:12; isdataat:!1,relative; content:"www.estab.org.tr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104636/; classtype:trojan-activity;sid:80967736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/okqhemqb/"; http_uri; depth:10; isdataat:!1,relative; content:"ayokerja.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104635/; classtype:trojan-activity;sid:80967735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uploads/gazo_output106db10.exe"; http_uri; depth:31; isdataat:!1,relative; content:"mlcrealestate.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104634/; classtype:trojan-activity;sid:80967734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uploads/newvenchen.exe"; http_uri; depth:23; isdataat:!1,relative; content:"mlcrealestate.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104633/; classtype:trojan-activity;sid:80967733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uploads/mypublicwifi.exe"; http_uri; depth:25; isdataat:!1,relative; content:"mlcrealestate.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104632/; classtype:trojan-activity;sid:80967732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uploads/bill1.exe"; http_uri; depth:18; isdataat:!1,relative; content:"mlcrealestate.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104631/; classtype:trojan-activity;sid:80967731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/msnonline/img/cl/factura_sii.php"; http_uri; depth:41; isdataat:!1,relative; content:"www.andorbrush.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104630/; classtype:trojan-activity;sid:80967730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntjva2h8lgrg/z919p7d7la0s5u8/docs.xls.zip"; http_uri; depth:42; isdataat:!1,relative; content:"download1839.mediafire.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104629/; classtype:trojan-activity;sid:80967729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/common/image/https/doc_sii.php"; http_uri; depth:31; isdataat:!1,relative; content:"syncrown.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104628/; classtype:trojan-activity;sid:80967728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/common/js/2019/doc_sii.php"; http_uri; depth:27; isdataat:!1,relative; content:"syncrown.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104627/; classtype:trojan-activity;sid:80967727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/907q6atok94g/z919p7d7la0s5u8/docs.xls.zip"; http_uri; depth:42; isdataat:!1,relative; content:"download1839.mediafire.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104626/; classtype:trojan-activity;sid:80967726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ookz-skfh_szhmmfygo-fp4/ach/paymentinfo/en_us/paid-invoices"; http_uri; depth:60; isdataat:!1,relative; content:"miketec.com.hk"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104625/; classtype:trojan-activity;sid:80967725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ukvr-mqcgo_ehieg-ids/ref/4814411604en/ach-form"; http_uri; depth:47; isdataat:!1,relative; content:"oculista.com.br"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104624/; classtype:trojan-activity;sid:80967724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/ltruafmy3068566/de/fakturierung"; http_uri; depth:38; isdataat:!1,relative; content:"runtah.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104623/; classtype:trojan-activity;sid:80967723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kdrgh-niwt_emq-wy/southwire/hlc97630028/en_en/important-please-read/"; http_uri; depth:69; isdataat:!1,relative; content:"xn--dh-fka.at"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104622/; classtype:trojan-activity;sid:80967722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/2019-01"; http_uri; depth:30; isdataat:!1,relative; content:"pe-co.nl"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104621/; classtype:trojan-activity;sid:80967721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/2019-01"; http_uri; depth:27; isdataat:!1,relative; content:"breakthebubble.nl"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104620/; classtype:trojan-activity;sid:80967720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/2019-01"; http_uri; depth:39; isdataat:!1,relative; content:"vnxpress24h.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104619/; classtype:trojan-activity;sid:80967719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/2019-01"; http_uri; depth:28; isdataat:!1,relative; content:"amimakingmoneyonline.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104618/; classtype:trojan-activity;sid:80967718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/01_19"; http_uri; depth:28; isdataat:!1,relative; content:"drinkdirect.co.uk"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104617/; classtype:trojan-activity;sid:80967717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/2019-01"; http_uri; depth:28; isdataat:!1,relative; content:"old.polskamasens.pl"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104616/; classtype:trojan-activity;sid:80967716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/01_19"; http_uri; depth:37; isdataat:!1,relative; content:"margatepanelbeaters.co.za"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104615/; classtype:trojan-activity;sid:80967715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/2019-01"; http_uri; depth:32; isdataat:!1,relative; content:"gmelfit.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104614/; classtype:trojan-activity;sid:80967714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/2019-01"; http_uri; depth:32; isdataat:!1,relative; content:"azimut-volga.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104613/; classtype:trojan-activity;sid:80967713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/012019"; http_uri; depth:26; isdataat:!1,relative; content:"offblack.de"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104612/; classtype:trojan-activity;sid:80967712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments/012019"; http_uri; depth:26; isdataat:!1,relative; content:"sofathugian.vn"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104611/; classtype:trojan-activity;sid:80967711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/details/01_19"; http_uri; depth:24; isdataat:!1,relative; content:"mail.learntoberich.vn"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104610/; classtype:trojan-activity;sid:80967710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/2019-01"; http_uri; depth:36; isdataat:!1,relative; content:"atlon.ml"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104609/; classtype:trojan-activity;sid:80967709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/01_19"; http_uri; depth:30; isdataat:!1,relative; content:"temptest123.reveance.nl"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104608/; classtype:trojan-activity;sid:80967708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/012019"; http_uri; depth:34; isdataat:!1,relative; content:"zidanmeubel.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104607/; classtype:trojan-activity;sid:80967707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/ultimate_vc_addons/admin/ifeanyi/now.exe"; http_uri; depth:60; isdataat:!1,relative; content:"7bwh.com"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104606/; classtype:trojan-activity;sid:80967706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kszip/mini/v1.0.1.11/mini_01.exe"; http_uri; depth:33; isdataat:!1,relative; content:"download.pdf00.cn"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104605/; classtype:trojan-activity;sid:80967705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/y.x86"; http_uri; depth:11; isdataat:!1,relative; content:"185.244.25.221"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104604/; classtype:trojan-activity;sid:80967704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/hjoypwcg0150375/rechnung/details/"; http_uri; depth:37; isdataat:!1,relative; content:"vansutrading.co.za"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104602/; classtype:trojan-activity;sid:80967702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http%3a%2f%2fsahlkaran.com%2fjztlu-mv_pnwyyahok-mk%2finvoicecodechanges%2fen_us%2fpaid-invoice|26|c=e15buruu0mtep5yfrkesnahzwa54zp1zybquat8w7iro4fheu7d8brrd8i_8lqvtc7emuc6uihzwn_wvn5aqq4cgung46y1lr15etbmcmfll25|26|typo=0/"; http_uri; depth:227; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104603/; classtype:trojan-activity;sid:80967703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jxvcw-5j7_ffhbdoye-zb/invoice/en/document-needed/"; http_uri; depth:50; isdataat:!1,relative; content:"torfsgebroeders.eu"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104601/; classtype:trojan-activity;sid:80967701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/hlzwyp1604214/de/rechnung/"; http_uri; depth:33; isdataat:!1,relative; content:"pojbez31.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104599/; classtype:trojan-activity;sid:80967699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/hrjftkznhq4922711/gescanntes-dokument/zahlung/"; http_uri; depth:53; isdataat:!1,relative; content:"realistickeportrety.sk"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104600/; classtype:trojan-activity;sid:80967700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/mxsvax4507556/de/rechnungsanschrift/"; http_uri; depth:48; isdataat:!1,relative; content:"phihungmobile.net"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104598/; classtype:trojan-activity;sid:80967698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vtxax-fuy_p-8h/cg234/invoicing/en_en/paid-invoices/"; http_uri; depth:52; isdataat:!1,relative; content:"michelinlearninginstitute.co.za"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104597/; classtype:trojan-activity;sid:80967697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dmyh-mmbje_nvtzfbhtl-7n/455929/surveyquestionsus/invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"ip-tes.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104596/; classtype:trojan-activity;sid:80967696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bamxj-yk_aguzkvh-8xr/en_us/companies-invoice-7729809/"; http_uri; depth:54; isdataat:!1,relative; content:"glazastiks.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104595/; classtype:trojan-activity;sid:80967695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/aujslfxo1452575/bestellungen/form/"; http_uri; depth:38; isdataat:!1,relative; content:"condicioner-ufa.ru"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104594/; classtype:trojan-activity;sid:80967694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/infppxh9980256/gescanntes-dokument/zahlungserinnerung/"; http_uri; depth:66; isdataat:!1,relative; content:"citygroupkw.net"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104593/; classtype:trojan-activity;sid:80967693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fclvq-kk_ybcgt-yl/en/service-report-76163/"; http_uri; depth:43; isdataat:!1,relative; content:"balancedmindus.org"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104592/; classtype:trojan-activity;sid:80967692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hbivs-wle_bcgq-gn/invoices/0343/79616/en_en/invoice-2574066-january/"; http_uri; depth:69; isdataat:!1,relative; content:"www.kiber-soft.net"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104591/; classtype:trojan-activity;sid:80967691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/fulyjpw9172244/ger/zahlungserinnerung/"; http_uri; depth:42; isdataat:!1,relative; content:"marisel.com.ua"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104590/; classtype:trojan-activity;sid:80967690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mgkr-zrnv_dg-og/comet/signs/payment/notification/01/17/2019/en/overdue-payment/"; http_uri; depth:80; isdataat:!1,relative; content:"bietthunghiduong24h.info"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104589/; classtype:trojan-activity;sid:80967689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"ketout.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104588/; classtype:trojan-activity;sid:80967688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/01_19/"; http_uri; depth:18; isdataat:!1,relative; content:"www.aramanfood.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104587/; classtype:trojan-activity;sid:80967687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=fbxereqyiwoliv6nv7udtez5pdgmxacvpirdgpw0odqam5b2ixlcog8bbvldeyc0vgj5pg09e0rpu3jmqxnpyw-3d-3d_l6hg3fw8n50aqta4oq21qal5fq-2bzzmkmgtjdvztzdph23ya5auoshdoru1dhc702a5ncvpgl9znydhdakmogx6cb-2b1dd6vobr1lyue81iqz2ttihdxseclwtcy1ywx75t4fyzd3s2qgloo5lfoefwawrcjlfbegenwdqwzz8sfkvauruz81ymtynmdt6ocgd-2bgc20txye3gcu19w5yb3jdscawirawbeieaadyb-2fcs0-3d/"; http_uri; depth:353; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104586/; classtype:trojan-activity;sid:80967686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"etihadkit.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104585/; classtype:trojan-activity;sid:80967685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"ema2-medea.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104584/; classtype:trojan-activity;sid:80967684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1ufewproduct=adobe_flash_player|26|amp|3b|sessionid=0ahukewjwktcmpyzfah0rdam4pbdy0wminae|26|amp|3b|biw0rdam4pbdy0wminae|26|amp|3b|biw"; http_uri; depth:134; isdataat:!1,relative; content:"ipkill.org"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104583/; classtype:trojan-activity;sid:80967683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/fonts/arial/install_flash_player_ppapi32.exe"; http_uri; depth:57; isdataat:!1,relative; content:"dellarosa.com.au"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104582/; classtype:trojan-activity;sid:80967682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"register.srru.ac.th"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104581/; classtype:trojan-activity;sid:80967681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/01_19/"; http_uri; depth:31; isdataat:!1,relative; content:"www.midts.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104580/; classtype:trojan-activity;sid:80967680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"www.drinkdirect.co.uk"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104579/; classtype:trojan-activity;sid:80967679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders_details/01_19/"; http_uri; depth:32; isdataat:!1,relative; content:"shootinstars.in"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104577/; classtype:trojan-activity;sid:80967677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/2019-01/"; http_uri; depth:24; isdataat:!1,relative; content:"themoonplease.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104578/; classtype:trojan-activity;sid:80967678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"mail.bestonlinegames.xyz"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104575/; classtype:trojan-activity;sid:80967675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/messages/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"pmcorporation.fr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104576/; classtype:trojan-activity;sid:80967676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/amazon/en/documents/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"gernetic.ca"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104574/; classtype:trojan-activity;sid:80967674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fuxs-md_bej-tk/invoicecodechanges/en/companies-invoice-96944979/"; http_uri; depth:65; isdataat:!1,relative; content:"hjsanders.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104573/; classtype:trojan-activity;sid:80967673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/kebigtlvy6527523/de/zahlung/"; http_uri; depth:40; isdataat:!1,relative; content:"translampung.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104572/; classtype:trojan-activity;sid:80967672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/ltcykbnje5969176/rechnungs-details/rechnungsanschrift/"; http_uri; depth:58; isdataat:!1,relative; content:"solusiobatherbal.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104571/; classtype:trojan-activity;sid:80967671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/styslfyqkg0437773/de/doc/"; http_uri; depth:29; isdataat:!1,relative; content:"euk.lt"; http_host; depth:6; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104570/; classtype:trojan-activity;sid:80967670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/myulp-pr_sxfpdkr-zl/southwire/qbx924743500/us_us/paid-invoices/"; http_uri; depth:64; isdataat:!1,relative; content:"pwpami.pl"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104569/; classtype:trojan-activity;sid:80967669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mqrfa-lkcjc_sl-tgj/us/753-43-672323-659-753-43-672323-244/"; http_uri; depth:59; isdataat:!1,relative; content:"lapsoinmobiliaria.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104568/; classtype:trojan-activity;sid:80967668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/leresuz7074814/dokumente/hilfestellung/"; http_uri; depth:40; isdataat:!1,relative; content:"1348photo.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104567/; classtype:trojan-activity;sid:80967667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/imfclkmpft0728555/dokumente/zahlungserinnerung/"; http_uri; depth:54; isdataat:!1,relative; content:"stal48.ru"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104566/; classtype:trojan-activity;sid:80967666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ladyaaxa7639399/dokumente/rechnungsanschrift/"; http_uri; depth:46; isdataat:!1,relative; content:"kamprotect.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104565/; classtype:trojan-activity;sid:80967665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/mlaxwyuomw8123967/de/form/"; http_uri; depth:30; isdataat:!1,relative; content:"modelgenesis.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104564/; classtype:trojan-activity;sid:80967664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yfast-rpio_lysod-775/inv/19766194964/en_en/need-to-send-the-attachment/"; http_uri; depth:72; isdataat:!1,relative; content:"carolineredaction.fr"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104563/; classtype:trojan-activity;sid:80967663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/phpvqljj5927086/rechnungs-details/hilfestellung/"; http_uri; depth:55; isdataat:!1,relative; content:"jenfu.net"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104562/; classtype:trojan-activity;sid:80967662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/lgvgpu5328119/rechnungs-details/hilfestellung/"; http_uri; depth:50; isdataat:!1,relative; content:"shot-life.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104561/; classtype:trojan-activity;sid:80967661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fzcwm-0s_bzznowj-hl/inv/02980941852/us/paid-invoice-credit-card-receipt/"; http_uri; depth:73; isdataat:!1,relative; content:"symbisystems.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104560/; classtype:trojan-activity;sid:80967660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zadye-atx_ecrtoa-x8w/ach/paymentinfo/us_us/invoices-overdue/"; http_uri; depth:61; isdataat:!1,relative; content:"tomopreis.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104559/; classtype:trojan-activity;sid:80967659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ltbiv-jznnu_xhtpo-kc/invoice/us/invoice-for-a/t-01/17/2019/"; http_uri; depth:60; isdataat:!1,relative; content:"ferramentasubra.com.br"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104558/; classtype:trojan-activity;sid:80967658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hmmw-wpy_csettdx-grs/paymentstatus/en/companies-invoice-31133887/"; http_uri; depth:66; isdataat:!1,relative; content:"excellenceconstructiongroup.com"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104557/; classtype:trojan-activity;sid:80967657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lbyps-tq_znltk-yt/inv/64718210754/us_us/outstanding-invoices/"; http_uri; depth:62; isdataat:!1,relative; content:"tec-auto.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104556/; classtype:trojan-activity;sid:80967656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/jwzwiloarb4701143/rechnungs/zahlungserinnerung/"; http_uri; depth:51; isdataat:!1,relative; content:"creationmakessense.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104555/; classtype:trojan-activity;sid:80967655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/ldkqduhsa3654559/rech/zahlungserinnerung/"; http_uri; depth:45; isdataat:!1,relative; content:"antique-carpets.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104554/; classtype:trojan-activity;sid:80967654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ogbpt-g5rn_fswv-upg/ach/paymentinfo/us_us/need-to-send-the-attachment/"; http_uri; depth:71; isdataat:!1,relative; content:"fissionmailed.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104553/; classtype:trojan-activity;sid:80967653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uqvvclish1323826/rechnungs-docs/form/"; http_uri; depth:38; isdataat:!1,relative; content:"life-and-spice.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104552/; classtype:trojan-activity;sid:80967652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/oquryvu5178922/rechnungs/fakturierung/"; http_uri; depth:39; isdataat:!1,relative; content:"rosimpex.net"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104551/; classtype:trojan-activity;sid:80967651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zwlxq-vw_ykylri-k6/ref/3246030544us/invoice-for-you/"; http_uri; depth:53; isdataat:!1,relative; content:"standart-uk.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104550/; classtype:trojan-activity;sid:80967650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gsa_lw1o4/"; http_uri; depth:11; isdataat:!1,relative; content:"enfoquecom.com.br"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104549/; classtype:trojan-activity;sid:80967649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xhdjpb_0sihee1v_ualfk2/"; http_uri; depth:24; isdataat:!1,relative; content:"sp11dzm.ru"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104548/; classtype:trojan-activity;sid:80967648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jyxxcv_82ibravt_k7nwl2nu/"; http_uri; depth:26; isdataat:!1,relative; content:"cardealersforbadcredit.net"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104547/; classtype:trojan-activity;sid:80967647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brg_4tb3uek0n/"; http_uri; depth:15; isdataat:!1,relative; content:"motoruitjes.nl"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104546/; classtype:trojan-activity;sid:80967646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"comidasdiferentes.com.br"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104545/; classtype:trojan-activity;sid:80967645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"www.leg4.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104544/; classtype:trojan-activity;sid:80967644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"boiseconcretecontractors.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104543/; classtype:trojan-activity;sid:80967643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/01_19/"; http_uri; depth:31; isdataat:!1,relative; content:"www.ema2-medea.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104542/; classtype:trojan-activity;sid:80967642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/messages/2019-01/"; http_uri; depth:25; isdataat:!1,relative; content:"lignumpolska.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104541/; classtype:trojan-activity;sid:80967641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"lohacemos.mx"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104540/; classtype:trojan-activity;sid:80967640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assets/amazon/documents/012019/"; http_uri; depth:32; isdataat:!1,relative; content:"www.pro-ind.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104539/; classtype:trojan-activity;sid:80967639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-snapshots/amazon/clients_transactions/01_19/"; http_uri; depth:48; isdataat:!1,relative; content:"zhesa.ir"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104538/; classtype:trojan-activity;sid:80967638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/documents/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"ayumi.ishiura.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104537/; classtype:trojan-activity;sid:80967637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"belovedmotherof13.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104536/; classtype:trojan-activity;sid:80967636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"lignumpolska.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104535/; classtype:trojan-activity;sid:80967635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"185.26.31.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104534/; classtype:trojan-activity;sid:80967634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/01_19/"; http_uri; depth:32; isdataat:!1,relative; content:"distinctiveblog.ir"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_17; reference:url, urlhaus.abuse.ch/url/104533/; classtype:trojan-activity;sid:80967633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/read.exe"; http_uri; depth:20; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104532/; classtype:trojan-activity;sid:80967632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/playmate.exe"; http_uri; depth:24; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104531/; classtype:trojan-activity;sid:80967631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/realhomes/languages/sserv.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"batdongsan3b.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104530/; classtype:trojan-activity;sid:80967630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/thankyou.exe"; http_uri; depth:22; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104529/; classtype:trojan-activity;sid:80967629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/2019-01/"; http_uri; depth:27; isdataat:!1,relative; content:"www.tbssmartcenter.tn"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104528/; classtype:trojan-activity;sid:80967628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions/01_19/"; http_uri; depth:30; isdataat:!1,relative; content:"isofip.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104527/; classtype:trojan-activity;sid:80967627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"auto-buro.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104526/; classtype:trojan-activity;sid:80967626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"lanhodiepuytin.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104525/; classtype:trojan-activity;sid:80967625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/2019-01/"; http_uri; depth:24; isdataat:!1,relative; content:"clindorbh.com.br"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104524/; classtype:trojan-activity;sid:80967624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"asgardiastore.space"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104523/; classtype:trojan-activity;sid:80967623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/01_19/"; http_uri; depth:31; isdataat:!1,relative; content:"temptest123.reveance.nl"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104522/; classtype:trojan-activity;sid:80967622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"lespetitsloupsmaraichers.fr"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104521/; classtype:trojan-activity;sid:80967621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/012019/"; http_uri; depth:32; isdataat:!1,relative; content:"digen.com.br"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104520/; classtype:trojan-activity;sid:80967620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/01_19/"; http_uri; depth:38; isdataat:!1,relative; content:"service.atlink.ir"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104519/; classtype:trojan-activity;sid:80967619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pjuupfw/amazon/en/orders_details/012019/"; http_uri; depth:41; isdataat:!1,relative; content:"bootaly.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104518/; classtype:trojan-activity;sid:80967618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/2019-01/"; http_uri; depth:27; isdataat:!1,relative; content:"howtofx.worldcupdeals.net"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104517/; classtype:trojan-activity;sid:80967617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"polatlimatbaa.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104516/; classtype:trojan-activity;sid:80967616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"www.2benerji.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104515/; classtype:trojan-activity;sid:80967615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"sizzlerexpress.co"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104514/; classtype:trojan-activity;sid:80967614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions/012019/"; http_uri; depth:31; isdataat:!1,relative; content:"www.makemoneysource.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104513/; classtype:trojan-activity;sid:80967613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/documents/012019/"; http_uri; depth:25; isdataat:!1,relative; content:"ozawabag.shop"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104512/; classtype:trojan-activity;sid:80967612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/details/01_19/"; http_uri; depth:25; isdataat:!1,relative; content:"mail.learntoberich.vn"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104511/; classtype:trojan-activity;sid:80967611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"www.matm.uz"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104510/; classtype:trojan-activity;sid:80967610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"www.ul-print.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104509/; classtype:trojan-activity;sid:80967609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"binckvertelt.nl"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104508/; classtype:trojan-activity;sid:80967608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"web.pa-cirebon.go.id"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104507/; classtype:trojan-activity;sid:80967607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"elcodrilling.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104506/; classtype:trojan-activity;sid:80967606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"printhousebg.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104505/; classtype:trojan-activity;sid:80967605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/febr-irdhf_zd-z0/invoicecodechanges/us/past-due-invoice"; http_uri; depth:56; isdataat:!1,relative; content:"odesagroup.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104504/; classtype:trojan-activity;sid:80967604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/donpetit.exe"; http_uri; depth:25; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104503/; classtype:trojan-activity;sid:80967603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/timework.exe"; http_uri; depth:24; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104502/; classtype:trojan-activity;sid:80967602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/sealedugo.exe"; http_uri; depth:23; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104501/; classtype:trojan-activity;sid:80967601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/papas.exe"; http_uri; depth:21; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104500/; classtype:trojan-activity;sid:80967600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/donugogee.exe"; http_uri; depth:26; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104499/; classtype:trojan-activity;sid:80967599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"31.132.143.21"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104498/; classtype:trojan-activity;sid:80967598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"1.54.30.138"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104497/; classtype:trojan-activity;sid:80967597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/t2zz_zoxsnfksj_cluxs/"; http_uri; depth:22; isdataat:!1,relative; content:"anhle.art"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104496/; classtype:trojan-activity;sid:80967596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2z4fo_ymay_bqdf1wd/"; http_uri; depth:20; isdataat:!1,relative; content:"flowersgalleryevents.ayansaha.com"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104495/; classtype:trojan-activity;sid:80967595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/worem_2o27v_d/"; http_uri; depth:15; isdataat:!1,relative; content:"ftp.spbv.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104494/; classtype:trojan-activity;sid:80967594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/pct_0h8s_l9zvhlysf/"; http_uri; depth:31; isdataat:!1,relative; content:"bonnyprint.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104493/; classtype:trojan-activity;sid:80967593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/tyug_qoscoz4o_5upw9ysbo/"; http_uri; depth:44; isdataat:!1,relative; content:"www.binsuloomgroup.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104492/; classtype:trojan-activity;sid:80967592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nzydl-dra_kgnbyx-5qq/southwire/qit9760639977/en_us/invoice-3852200-january/"; http_uri; depth:76; isdataat:!1,relative; content:"www.suvenir-maykop.ru"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104491/; classtype:trojan-activity;sid:80967591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/badmkd6453501/rechnungs/rechnungsanschrift/"; http_uri; depth:47; isdataat:!1,relative; content:"gephesf.pontocritico.org"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104490/; classtype:trojan-activity;sid:80967590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/wdadhuupg7241677/rechnungs-docs/hilfestellung/"; http_uri; depth:58; isdataat:!1,relative; content:"house.testmonday.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104489/; classtype:trojan-activity;sid:80967589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/iybffejt3289859/rechnungs/zahlung/"; http_uri; depth:38; isdataat:!1,relative; content:"kcespolska.pl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104488/; classtype:trojan-activity;sid:80967588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ifwj-bo_buv-ab0/en/new-order/"; http_uri; depth:30; isdataat:!1,relative; content:"nhakhoavieta.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104487/; classtype:trojan-activity;sid:80967587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ukwuz-iskj_ayt-gf/inv/95099forpo/89237244008/en/317-71-812077-075-317-71-812077-674/"; http_uri; depth:85; isdataat:!1,relative; content:"cms.berichtvoorjou.nl"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104486/; classtype:trojan-activity;sid:80967586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eszlv-bgq_jeuea-ok/southwire/qjt491798084/en_us/companies-invoice-1859353/"; http_uri; depth:75; isdataat:!1,relative; content:"www.avtotest-taxi.ru"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104485/; classtype:trojan-activity;sid:80967585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xkktt-8k_yryooqpwv-sw/invoice/01359/overpayment/en/overdue-payment/"; http_uri; depth:68; isdataat:!1,relative; content:"www.festivaldescons.fr"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104484/; classtype:trojan-activity;sid:80967584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/whpeb-4so_udvfbmgmr-jat/inv/76841forpo/40533191131/en_us/outstanding-invoices/"; http_uri; depth:79; isdataat:!1,relative; content:"rahkarinoo.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104483/; classtype:trojan-activity;sid:80967583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/omcl-pyu_iufoy-vc4/invoice/7487/overpayment/en_us/invoice-receipt/"; http_uri; depth:67; isdataat:!1,relative; content:"lapontelloise.fr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104482/; classtype:trojan-activity;sid:80967582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gekyf-6b_vtnvah-y6x/ext/paymentstatus/en/need-to-send-the-attachment/"; http_uri; depth:70; isdataat:!1,relative; content:"immo-en-israel.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104481/; classtype:trojan-activity;sid:80967581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ukvr-mqcgo_ehieg-ids/ref/4814411604en/ach-form/"; http_uri; depth:48; isdataat:!1,relative; content:"oculista.com.br"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104480/; classtype:trojan-activity;sid:80967580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/adezg-nvibd_esthii-bsb/invoice/66893/overpayment/us_us/invoice-for-s/h-01/17/2019/"; http_uri; depth:83; isdataat:!1,relative; content:"or-iraq.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104479/; classtype:trojan-activity;sid:80967579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wvaq-smw_gakfjgye-no/ach/paymentadvice/en/invoice-for-v/a-01/17/2019/"; http_uri; depth:70; isdataat:!1,relative; content:"mail.be-mup.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104478/; classtype:trojan-activity;sid:80967578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jaor-mhpv3_vpv-4h/paymentstatus/en/open-past-due-orders/"; http_uri; depth:57; isdataat:!1,relative; content:"lokeronline.net"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104477/; classtype:trojan-activity;sid:80967577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jdizz-l86x_mpzcmnaf-tnj/ach/paymentadvice/us_us/inv-12441-po-8c586861/"; http_uri; depth:71; isdataat:!1,relative; content:"etsybizthai.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104476/; classtype:trojan-activity;sid:80967576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rmtu-te1dj_bfmkkc-tf9/ref/25027654en/inv-373736-po-7q385560/"; http_uri; depth:61; isdataat:!1,relative; content:"www.tag.ir"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104475/; classtype:trojan-activity;sid:80967575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ayjd-q1bif_cdgjh-fg/invoice/16523/overpayment/us/past-due-invoice/"; http_uri; depth:67; isdataat:!1,relative; content:"irsoradio.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104474/; classtype:trojan-activity;sid:80967574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mjaog-5qa5_bmeo-wdq/paymentstatus/en_us/companies-invoice-3933304/"; http_uri; depth:67; isdataat:!1,relative; content:"3dyazicimarket.com.tr"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104473/; classtype:trojan-activity;sid:80967573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ikvs-kvdot_yg-tb/paymentstatus/us_us/invoice-for-r/m-01/16/2019/"; http_uri; depth:65; isdataat:!1,relative; content:"grantkulinar.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104472/; classtype:trojan-activity;sid:80967572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zynjl-dy0pu_dlhk-vtp/ach/paymentinfo/us/open-past-due-orders/"; http_uri; depth:62; isdataat:!1,relative; content:"needrelax.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104471/; classtype:trojan-activity;sid:80967571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hpp52ibi/kkpew-bvwox_jdlmqsdmf-0su/southwire/nen2883833917/en_en/need-to-send-the-attachment/"; http_uri; depth:94; isdataat:!1,relative; content:"www.ip-tes.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104470/; classtype:trojan-activity;sid:80967570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ygnpo-xf_msydhz-8j/ach/paymentinfo/en/companies-invoice-8031185/"; http_uri; depth:65; isdataat:!1,relative; content:"www.purifiq.co.za"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104469/; classtype:trojan-activity;sid:80967569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/aupdj-2ed_zvchesg-tu7/inv/95995forpo/81050853735/en_us/sales-invoice/"; http_uri; depth:70; isdataat:!1,relative; content:"mail.mtcc858.ca"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104468/; classtype:trojan-activity;sid:80967568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xtrf-wwkf_yilncf-zo2/us/overdue-payment/"; http_uri; depth:41; isdataat:!1,relative; content:"oculista.com.br"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104467/; classtype:trojan-activity;sid:80967567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dfxp-xila_vlnrip-y3/en/service-report-41623/"; http_uri; depth:45; isdataat:!1,relative; content:"www.pugliachebonta.it"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104466/; classtype:trojan-activity;sid:80967566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http%3a%2f%2fsahlkaran.com%2fjztlu-mv_pnwyyahok-mk%2finvoicecodechanges%2fen_us%2fpaid-invoice|26|c=e,1,5buruu0mtep5yfrkesnahzwa54zp1zybquat8w7iro4fheu7d8brrd8i_8lqvtc7emuc6uihzwn_wvn5aqq4cgung46y1lr15etbmcmfll25|26|typo=0/"; http_uri; depth:229; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104465/; classtype:trojan-activity;sid:80967565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/zqubdqbrf4046755/de/hilfestellung/"; http_uri; depth:41; isdataat:!1,relative; content:"www.makemoneyonline0.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104464/; classtype:trojan-activity;sid:80967564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lhqbw-xbf_rjfkgvk-7d/ref/40745794us/overdue-payment/"; http_uri; depth:53; isdataat:!1,relative; content:"www.yourroofer.co.uk"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104463/; classtype:trojan-activity;sid:80967563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/zsczjsmfjr0996491/rechnung/zahlung/"; http_uri; depth:47; isdataat:!1,relative; content:"etihadinnovationkit.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104462/; classtype:trojan-activity;sid:80967562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/seeeen.exe"; http_uri; depth:20; isdataat:!1,relative; content:"i3-group.co.id"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104461/; classtype:trojan-activity;sid:80967561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/w8yxb69h5/"; http_uri; depth:11; isdataat:!1,relative; content:"vanoostrom.org"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104460/; classtype:trojan-activity;sid:80967560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fne1tvjji/"; http_uri; depth:11; isdataat:!1,relative; content:"migoshen.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104459/; classtype:trojan-activity;sid:80967559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ynb95t2/"; http_uri; depth:9; isdataat:!1,relative; content:"ftp.dailyignite.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104458/; classtype:trojan-activity;sid:80967558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nkq5eoz/"; http_uri; depth:9; isdataat:!1,relative; content:"economiadigital.biz"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104457/; classtype:trojan-activity;sid:80967557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bcfuhvdr/"; http_uri; depth:10; isdataat:!1,relative; content:"samix-num.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104456/; classtype:trojan-activity;sid:80967556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"www.activartcompany.it"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104455/; classtype:trojan-activity;sid:80967555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/attachments/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"ldrautovation.co.za"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104454/; classtype:trojan-activity;sid:80967554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"domswop.worldcupdeals.net"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104453/; classtype:trojan-activity;sid:80967553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"www.zonnestroomtilburg.nl"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104452/; classtype:trojan-activity;sid:80967552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"www.idgnet.nl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104451/; classtype:trojan-activity;sid:80967551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/01_19/"; http_uri; depth:38; isdataat:!1,relative; content:"www.motoruitjes.nl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104450/; classtype:trojan-activity;sid:80967550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftwiofrm_ero4460/amazon/details/012019/"; http_uri; depth:40; isdataat:!1,relative; content:"ero4790k.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104449/; classtype:trojan-activity;sid:80967549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=eh9clvim7g7bz30e4t0-2bxebgvhmxfvv3h8tq2zucmripe3t4ddxlpjk06tivrvm4ys46xr0nhv-2brjncaij90ta-3d-3d_xctnyg84w5dxaeiqlkwfapmafcwx-2bvqrbgpc2aterubwzhqvit6k-2br-2f-2brtfxh30snualkinsfl4kpjxolz1pdkeyin09j-2feubfjtzfhwomu5oue5pkz1zfmh7ruidukez3mtrhdsr7lsdjzje7kx1k2ca4lrwk-2fqb27r26sqioe3dlqep0gttopfvd9udn-2fkyx1wgc8e76w2wvewgp76slkpurqn5-2bqfzdyyjtmdpzw-3d/"; http_uri; depth:365; isdataat:!1,relative; content:"u4124863.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104448/; classtype:trojan-activity;sid:80967548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wordpress/amazon/en/orders-details/01_19/"; http_uri; depth:42; isdataat:!1,relative; content:"cbsr.com.pk"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104447/; classtype:trojan-activity;sid:80967547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders_details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"pugliachebonta.it"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104446/; classtype:trojan-activity;sid:80967546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"batdongsanbamien24h.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104445/; classtype:trojan-activity;sid:80967545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"gmelfit.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104444/; classtype:trojan-activity;sid:80967544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/2019-01/"; http_uri; depth:24; isdataat:!1,relative; content:"qigong-gironde.fr"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104443/; classtype:trojan-activity;sid:80967543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/01_19/"; http_uri; depth:25; isdataat:!1,relative; content:"audiocart.co.za"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104442/; classtype:trojan-activity;sid:80967542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"vnxpress24h.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104441/; classtype:trojan-activity;sid:80967541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/rechnungs/01_19/"; http_uri; depth:36; isdataat:!1,relative; content:"batdongsan3b.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104440/; classtype:trojan-activity;sid:80967540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"stats.sitelemon.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104439/; classtype:trojan-activity;sid:80967539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/attachments/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"www.cop-rudnik.pl"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104438/; classtype:trojan-activity;sid:80967538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"truongland.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104437/; classtype:trojan-activity;sid:80967537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/2019-01/"; http_uri; depth:24; isdataat:!1,relative; content:"stionline.com.ve"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104436/; classtype:trojan-activity;sid:80967536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/01_19/"; http_uri; depth:38; isdataat:!1,relative; content:"smkn.co.id"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104435/; classtype:trojan-activity;sid:80967535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"smtp.stepoutforsuccess.ca"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104434/; classtype:trojan-activity;sid:80967534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"find-me-an-english-book.co.uk"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104433/; classtype:trojan-activity;sid:80967533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/2019-01/"; http_uri; depth:27; isdataat:!1,relative; content:"www.markerom.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104432/; classtype:trojan-activity;sid:80967532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"www.xn----7sbabof2ac4chjkhgcg5e1i.xn--p1ai"; http_host; depth:42; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104431/; classtype:trojan-activity;sid:80967531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients/01_19/"; http_uri; depth:25; isdataat:!1,relative; content:"chenhungmu.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104430/; classtype:trojan-activity;sid:80967530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"offblack.de"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104429/; classtype:trojan-activity;sid:80967529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docs/amazon/en/information/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"quahandmade.org"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104428/; classtype:trojan-activity;sid:80967528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"eddiepisters.nl"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104427/; classtype:trojan-activity;sid:80967527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-snapshots/amazon/en/messages/01_19/"; http_uri; depth:39; isdataat:!1,relative; content:"ktml.org"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104426/; classtype:trojan-activity;sid:80967526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/01xnpqw/"; http_uri; depth:9; isdataat:!1,relative; content:"vincopoker.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104425/; classtype:trojan-activity;sid:80967525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cjf6hpn7/"; http_uri; depth:10; isdataat:!1,relative; content:"odesagroup.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104424/; classtype:trojan-activity;sid:80967524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"89.133.14.96"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104423/; classtype:trojan-activity;sid:80967523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.sh4"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104422/; classtype:trojan-activity;sid:80967522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.arm"; http_uri; depth:9; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104421/; classtype:trojan-activity;sid:80967521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.m68k"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104420/; classtype:trojan-activity;sid:80967520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.ppc"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104419/; classtype:trojan-activity;sid:80967519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7m2cov4d760n5qancgi5c4s98hg8o5hs/1547661600000/07335649321361492730/*/1i6j8abdi7cbfjcew6h0ra5lhstko1yshe=download"; http_uri; depth:161; isdataat:!1,relative; content:"doc-0c-8s-docs.googleusercontent.com"; http_host; depth:36; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104418/; classtype:trojan-activity;sid:80967518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/y6o7vhukpu"; http_uri; depth:11; isdataat:!1,relative; content:"waliwalo.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104417/; classtype:trojan-activity;sid:80967517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/note.exe"; http_uri; depth:9; isdataat:!1,relative; content:"cheats4gaming.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104416/; classtype:trojan-activity;sid:80967516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/h1raz_hefn0j_e/"; http_uri; depth:16; isdataat:!1,relative; content:"aryahospitalksh.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104415/; classtype:trojan-activity;sid:80967515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nlwq7z5_vin4p7ar_00kdii/"; http_uri; depth:25; isdataat:!1,relative; content:"lailarahman.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104414/; classtype:trojan-activity;sid:80967514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/5rkx6ot_r3wyo/"; http_uri; depth:15; isdataat:!1,relative; content:"medicspoint.pk"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104413/; classtype:trojan-activity;sid:80967513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/g0i_4ucijs/"; http_uri; depth:12; isdataat:!1,relative; content:"jcpersonaliza.com.br"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104412/; classtype:trojan-activity;sid:80967512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/nefrze_crln072r_s/"; http_uri; depth:38; isdataat:!1,relative; content:"binsuloomgroup.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104411/; classtype:trojan-activity;sid:80967511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qosbh-t9_xw-2f6/inv/966600392/us_us/invoice-for-p/i-01/16/2019/"; http_uri; depth:64; isdataat:!1,relative; content:"www.abmtrust.org"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104410/; classtype:trojan-activity;sid:80967510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ikvs-kvdot_yg-tb/paymentstatus/us_us/invoice-for-r/m-01/16/2019/"; http_uri; depth:65; isdataat:!1,relative; content:"www.grantkulinar.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104409/; classtype:trojan-activity;sid:80967509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apoc-srx_lp-uec/invoice/en/invoice-for-you/"; http_uri; depth:44; isdataat:!1,relative; content:"doraya.eu"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104408/; classtype:trojan-activity;sid:80967508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/carwr-czuml_rb-olm/ach/paymentadvice/us_us/companies-invoice-7507672/"; http_uri; depth:70; isdataat:!1,relative; content:"www.ganache.com.br"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104407/; classtype:trojan-activity;sid:80967507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jhjnv-xu1_tlkwwer-w8s/inv/065743170/us_us/invoice-receipt/"; http_uri; depth:59; isdataat:!1,relative; content:"rapport-de-stage-tevai-sallaberry.fr"; http_host; depth:36; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104406/; classtype:trojan-activity;sid:80967506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jmjcc-fqb_py-p6a/comet/signs/payment/notification/01/16/2019/en_en/invoice-7465831/"; http_uri; depth:84; isdataat:!1,relative; content:"livechallenge.fr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104405/; classtype:trojan-activity;sid:80967505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sxtdh-pxvk_gsqdk-ge6/invoice/en/past-due-invoices/"; http_uri; depth:51; isdataat:!1,relative; content:"fidesconstantia.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104404/; classtype:trojan-activity;sid:80967504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/85qjtunyl/"; http_uri; depth:11; isdataat:!1,relative; content:"titheringtons.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104403/; classtype:trojan-activity;sid:80967503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sm93gjvmw/"; http_uri; depth:11; isdataat:!1,relative; content:"affinity7.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104402/; classtype:trojan-activity;sid:80967502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/7uqz6s6uq/"; http_uri; depth:11; isdataat:!1,relative; content:"www.emmanuelboos.info"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104401/; classtype:trojan-activity;sid:80967501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftkdpad/"; http_uri; depth:9; isdataat:!1,relative; content:"advantechnologies.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104400/; classtype:trojan-activity;sid:80967500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"www.ayokerja.org"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104399/; classtype:trojan-activity;sid:80967499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/y6o7vhukpu/"; http_uri; depth:12; isdataat:!1,relative; content:"waliwalo.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104398/; classtype:trojan-activity;sid:80967498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"wellnessworkshop.ie"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104396/; classtype:trojan-activity;sid:80967496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=wpe4fdem1keygrlxyjbsyjcessofprksfm2nk6cmh1rekxk5jgbbtbg7j0wdeqgbpixs5vaiatpwwl9difz1dc8ux1s-2fxre9kqql4laibcu-3d_x0evshgxgtwnysm1g6j8lt06e-2boxko14az5skvd7zf-2bzjtbghrawt9gchhzedupg0pilokyanck2093dw43tk-2febjgvnbejzmlzwfftaxglu6clvtuf0bl80zjpg1z6fgynxwbkq7dtgkjdt8htmaj7tnq30mt0cqqgefibrjcecgfwzaiwjos3ngzs2g5sndaexwulxro1icoefu6cxyg-3d-3d/"; http_uri; depth:353; isdataat:!1,relative; content:"u5184431.ct.sendgrid.net"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104397/; classtype:trojan-activity;sid:80967497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"themanorcentralparknguyenxien.net"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104395/; classtype:trojan-activity;sid:80967495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"old.polskamasens.pl"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104394/; classtype:trojan-activity;sid:80967494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/amazon/information/01_19/"; http_uri; depth:37; isdataat:!1,relative; content:"rampp.ir"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104393/; classtype:trojan-activity;sid:80967493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"alfemimoda.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104392/; classtype:trojan-activity;sid:80967492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"www.drinkdirect.co.uk"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104391/; classtype:trojan-activity;sid:80967491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cd/0/get/azg5q7vkkaxi1s7xvrr4wmhzud4mp3wjhpoguxy1mzuc0ddjym8wkbtvy7x7scw7zkweyjiiro8hoh7jbebdhwjbclorbzlarykbfsdkn7sb0xmiyfi7k0winvhkrwe8yzdtfkeg5feu4qe8x8l9yh9vbqqgvwjhxybmadyyudrvi07kzxrjvtuempqw9kmmu18/filedl=1"; http_uri; depth:214; isdataat:!1,relative; content:"uc5572244f19a82890c467bd11d6.dl.dropboxusercontent.com"; http_host; depth:54; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104390/; classtype:trojan-activity;sid:80967490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pagerastreamentoobjetos/sistemas.html"; http_uri; depth:38; isdataat:!1,relative; content:"servicescobrancas.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104389/; classtype:trojan-activity;sid:80967489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/information/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"www.cbhrmf.com.br"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104388/; classtype:trojan-activity;sid:80967488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"webview.bvibus.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104387/; classtype:trojan-activity;sid:80967487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"smsold401.smsold.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104386/; classtype:trojan-activity;sid:80967486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/details/012019/"; http_uri; depth:26; isdataat:!1,relative; content:"sevenempreenda.com.br"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104385/; classtype:trojan-activity;sid:80967485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/2019-01/"; http_uri; depth:40; isdataat:!1,relative; content:"register.srru.ac.th"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104384/; classtype:trojan-activity;sid:80967484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"projektuvaldymosistema.eu"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104383/; classtype:trojan-activity;sid:80967483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"pe-co.nl"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104382/; classtype:trojan-activity;sid:80967482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions/012019/"; http_uri; depth:31; isdataat:!1,relative; content:"leodruker.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104380/; classtype:trojan-activity;sid:80967480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"nuagelab.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104381/; classtype:trojan-activity;sid:80967481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/messages/2019-01/"; http_uri; depth:25; isdataat:!1,relative; content:"guitare-start.fr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104379/; classtype:trojan-activity;sid:80967479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"drcarrico.com.br"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104378/; classtype:trojan-activity;sid:80967478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/attachments/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"dev.moleq.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104377/; classtype:trojan-activity;sid:80967477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_messages/01_19/"; http_uri; depth:31; isdataat:!1,relative; content:"amberrussia.cn"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104376/; classtype:trojan-activity;sid:80967476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zwlxq-vw_ykylri-k6/ref/3246030544us/invoice-for-you/"; http_uri; depth:53; isdataat:!1,relative; content:"www.standart-uk.ru"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104375/; classtype:trojan-activity;sid:80967475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cipe-slt_ssasd-c9s/comet/signs/payment/notification/01/16/2019/en/paid-invoices/"; http_uri; depth:81; isdataat:!1,relative; content:"welovecreative.co.nz"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104374/; classtype:trojan-activity;sid:80967474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bmww-ozmqz_tl-grq/inv/633151forpo/754870642714/en_us/open-past-due-orders/"; http_uri; depth:75; isdataat:!1,relative; content:"thorntonmanor.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104373/; classtype:trojan-activity;sid:80967473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hooxi-o2_ooqrn-vl/southwire/mjn77267539/en_en/document-needed/"; http_uri; depth:63; isdataat:!1,relative; content:"southernthatch.co.za"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104372/; classtype:trojan-activity;sid:80967472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nqxxr-ym0c_ehmzsvjus-nu/ach/paymentadvice/en_en/invoice/"; http_uri; depth:57; isdataat:!1,relative; content:"souqaziz.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104371/; classtype:trojan-activity;sid:80967471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/otxku-v7vw_k-ht/invoice/369532344/en/new-order/"; http_uri; depth:48; isdataat:!1,relative; content:"seomood.swhost.pl"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104370/; classtype:trojan-activity;sid:80967470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sitefiles/yfnkvsgfi/ncpno-ft8ip_ql-arq/ext/paymentstatus/en_en/invoice-for-j/g-01/16/2019/"; http_uri; depth:91; isdataat:!1,relative; content:"sathachlaixebinhthuan.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104369/; classtype:trojan-activity;sid:80967469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wzulb-rfyxk_hjflpgcig-mf/invoicecodechanges/en_us/paid-invoices/"; http_uri; depth:65; isdataat:!1,relative; content:"routetomarketsolutions.co.uk"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104368/; classtype:trojan-activity;sid:80967468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zblpx-wtc_brf-i7/ref/85034926us_us/question/"; http_uri; depth:45; isdataat:!1,relative; content:"rccgregion15juniorchurch.org"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104367/; classtype:trojan-activity;sid:80967467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uvdcl-seqb_z-fn/inv/46137forpo/5825406314/us_us/invoice-23324505-january/"; http_uri; depth:74; isdataat:!1,relative; content:"proserempresarial.com.mx"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104366/; classtype:trojan-activity;sid:80967466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jptd-7qea_j-f5/ref/1062871160us_us/past-due-invoice/"; http_uri; depth:53; isdataat:!1,relative; content:"mozaland.vn"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104365/; classtype:trojan-activity;sid:80967465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ookz-skfh_szhmmfygo-fp4/ach/paymentinfo/en_us/paid-invoices/"; http_uri; depth:61; isdataat:!1,relative; content:"miketec.com.hk"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104364/; classtype:trojan-activity;sid:80967464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jgve-jcrp_xl-bu8/southwire/wpl02170711/us_us/invoice/"; http_uri; depth:54; isdataat:!1,relative; content:"mandalafest.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104363/; classtype:trojan-activity;sid:80967463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xjwi-432_en-vf/inv/866847583/us_us/open-invoices/"; http_uri; depth:50; isdataat:!1,relative; content:"maf-orleans.fr"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104362/; classtype:trojan-activity;sid:80967462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bsfe-klt_luwpexa-m6/ref/3786979734us/invoices-attached/"; http_uri; depth:56; isdataat:!1,relative; content:"korbi-studio.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104361/; classtype:trojan-activity;sid:80967461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wibs-k3ssq_zzuriqxdl-stp/invoice/71459672/en/invoice-receipt/"; http_uri; depth:62; isdataat:!1,relative; content:"johnnycrap.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104360/; classtype:trojan-activity;sid:80967460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rntvm-eb1_soybton-56/southwire/gby130159746/en/scan/"; http_uri; depth:53; isdataat:!1,relative; content:"fira.org.za"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104359/; classtype:trojan-activity;sid:80967459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xgoyg-1w1aq_aknq-ac/invoicecodechanges/en_us/outstanding-invoices/"; http_uri; depth:67; isdataat:!1,relative; content:"enlightivebm.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104358/; classtype:trojan-activity;sid:80967458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/owyy-h3_dpfe-xpu/hs13/invoicing/en_en/service-invoice/"; http_uri; depth:55; isdataat:!1,relative; content:"alkamaria.net"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104357/; classtype:trojan-activity;sid:80967457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/custom-sidebars/2"; http_uri; depth:37; isdataat:!1,relative; content:"thefashionchamp.co"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104355/; classtype:trojan-activity;sid:80967455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/custom-sidebars/3"; http_uri; depth:37; isdataat:!1,relative; content:"thefashionchamp.co"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104356/; classtype:trojan-activity;sid:80967456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/custom-sidebars/1"; http_uri; depth:37; isdataat:!1,relative; content:"thefashionchamp.co"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104354/; classtype:trojan-activity;sid:80967454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/mailchimp/lib/3"; http_uri; depth:35; isdataat:!1,relative; content:"salshakenwrap.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104353/; classtype:trojan-activity;sid:80967453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/mailchimp/lib/1"; http_uri; depth:35; isdataat:!1,relative; content:"salshakenwrap.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104351/; classtype:trojan-activity;sid:80967451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/mailchimp/lib/2"; http_uri; depth:35; isdataat:!1,relative; content:"salshakenwrap.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104352/; classtype:trojan-activity;sid:80967452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/jetpack/modules/3"; http_uri; depth:37; isdataat:!1,relative; content:"emilyhendrie.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104350/; classtype:trojan-activity;sid:80967450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/jetpack/modules/1"; http_uri; depth:37; isdataat:!1,relative; content:"emilyhendrie.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104348/; classtype:trojan-activity;sid:80967448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/jetpack/modules/2"; http_uri; depth:37; isdataat:!1,relative; content:"emilyhendrie.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104349/; classtype:trojan-activity;sid:80967449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/w3-total-cache/inc/3"; http_uri; depth:40; isdataat:!1,relative; content:"kevinalves.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104347/; classtype:trojan-activity;sid:80967447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/w3-total-cache/inc/1"; http_uri; depth:40; isdataat:!1,relative; content:"kevinalves.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104345/; classtype:trojan-activity;sid:80967445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/w3-total-cache/inc/2"; http_uri; depth:40; isdataat:!1,relative; content:"kevinalves.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104346/; classtype:trojan-activity;sid:80967446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/mailchimp-for-wp/2"; http_uri; depth:38; isdataat:!1,relative; content:"jenrobin.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104343/; classtype:trojan-activity;sid:80967443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/mailchimp-for-wp/3"; http_uri; depth:38; isdataat:!1,relative; content:"jenrobin.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104344/; classtype:trojan-activity;sid:80967444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/mailchimp-for-wp/1"; http_uri; depth:38; isdataat:!1,relative; content:"jenrobin.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104342/; classtype:trojan-activity;sid:80967442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/newer.exe"; http_uri; depth:10; isdataat:!1,relative; content:"www.turbominebtcminer.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104341/; classtype:trojan-activity;sid:80967441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/forum/cache/ssj.jpg"; http_uri; depth:20; isdataat:!1,relative; content:"fossbcn.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104340/; classtype:trojan-activity;sid:80967440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bin.exe"; http_uri; depth:8; isdataat:!1,relative; content:"cheats4gaming.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104339/; classtype:trojan-activity;sid:80967439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/endless.exe"; http_uri; depth:12; isdataat:!1,relative; content:"a98n98.xyz"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104338/; classtype:trojan-activity;sid:80967438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/voice/images/admin/ssj.jpg"; http_uri; depth:45; isdataat:!1,relative; content:"vuonorganic.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104337/; classtype:trojan-activity;sid:80967437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/copyland.png"; http_uri; depth:13; isdataat:!1,relative; content:"www.embrodownscience.su"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104336/; classtype:trojan-activity;sid:80967436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/download/doss22.exe"; http_uri; depth:20; isdataat:!1,relative; content:"216.170.123.10"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104334/; classtype:trojan-activity;sid:80967434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/release/piratechickvpnupdate.exe"; http_uri; depth:33; isdataat:!1,relative; content:"piratechickvpn.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104335/; classtype:trojan-activity;sid:80967435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sites/default/files/cast2.exe"; http_uri; depth:30; isdataat:!1,relative; content:"www.tibetsaveandcare.org"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104333/; classtype:trojan-activity;sid:80967433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_transactions/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"orderout.nl"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104332/; classtype:trojan-activity;sid:80967432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.x86"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104331/; classtype:trojan-activity;sid:80967431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.mpsl"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104330/; classtype:trojan-activity;sid:80967430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.mips"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104329/; classtype:trojan-activity;sid:80967429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.arm7"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104328/; classtype:trojan-activity;sid:80967428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.arm6"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104327/; classtype:trojan-activity;sid:80967427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.arm5"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104326/; classtype:trojan-activity;sid:80967426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.arm"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.24.154"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104325/; classtype:trojan-activity;sid:80967425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.ppc"; http_uri; depth:9; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104324/; classtype:trojan-activity;sid:80967424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.arm5"; http_uri; depth:10; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104322/; classtype:trojan-activity;sid:80967422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.arm6"; http_uri; depth:10; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104323/; classtype:trojan-activity;sid:80967423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qwydbbcdu.pngbg=sp20"; http_uri; depth:21; isdataat:!1,relative; content:"help.postsupport.net"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104321/; classtype:trojan-activity;sid:80967421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.sh4"; http_uri; depth:9; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104320/; classtype:trojan-activity;sid:80967420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.arm7"; http_uri; depth:10; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104319/; classtype:trojan-activity;sid:80967419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.m68k"; http_uri; depth:10; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104318/; classtype:trojan-activity;sid:80967418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.mpsl"; http_uri; depth:10; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104317/; classtype:trojan-activity;sid:80967417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d/xd.x86"; http_uri; depth:9; isdataat:!1,relative; content:"45.62.249.171"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104316/; classtype:trojan-activity;sid:80967416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/max.exe"; http_uri; depth:8; isdataat:!1,relative; content:"78.142.29.110"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104315/; classtype:trojan-activity;sid:80967415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xoozt-aeuvv_lmhmjuat-4sk/ach/paymentinfo/us/invoice-number-919134/"; http_uri; depth:67; isdataat:!1,relative; content:"liarla.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104314/; classtype:trojan-activity;sid:80967414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jiidnatz.pngbg=sp21"; http_uri; depth:20; isdataat:!1,relative; content:"help.postsupport.net"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104313/; classtype:trojan-activity;sid:80967413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wzsetzjee/"; http_uri; depth:11; isdataat:!1,relative; content:"almazart.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104312/; classtype:trojan-activity;sid:80967412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/83fmjzuwm/"; http_uri; depth:11; isdataat:!1,relative; content:"prakritikkrishi.org"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104311/; classtype:trojan-activity;sid:80967411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fc0w6qf/"; http_uri; depth:9; isdataat:!1,relative; content:"suglafish.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104310/; classtype:trojan-activity;sid:80967410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nry3kxhi4v/"; http_uri; depth:12; isdataat:!1,relative; content:"matadorlovol.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104309/; classtype:trojan-activity;sid:80967409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/01xnpqw/"; http_uri; depth:9; isdataat:!1,relative; content:"www.vincopoker.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104308/; classtype:trojan-activity;sid:80967408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"aserraderoelaleman.com.ar"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104307/; classtype:trojan-activity;sid:80967407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"becommerce.mx"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104306/; classtype:trojan-activity;sid:80967406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"i2ml-evenements.fr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104305/; classtype:trojan-activity;sid:80967405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"breakthebubble.nl"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104304/; classtype:trojan-activity;sid:80967404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"alfa-des.pro"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104303/; classtype:trojan-activity;sid:80967403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_information/2019-01/"; http_uri; depth:39; isdataat:!1,relative; content:"expoluxo.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104302/; classtype:trojan-activity;sid:80967402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=vd95itbgtknzfmm-2fzam2bbiasopkyomkettdo9fxgjmmafy7ozgagcjchmyhe8yoloqevmidk3sgstgvhg94fw-3d-3d_3u4p1y-2b0wghyomlemyjqlwr22d5ie9w0smyoxhbqcdtxmmz9aoegwj89g6awstcxgjyleous0vtyn6o7jl4qriygnjt60y6vibzjn-2f4cnu78ghqxpyovvtxivadhehyrifbjsf2j2dmwj1x2xs4ue5verrgqra30p6sfgm-2fthnmx-2fj05jhwzgn9v4pofhulw-2f5ewx5xmatjutcoyydbqr66hlio3zzbo3fmdvzfcbvu-3d/"; http_uri; depth:357; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104301/; classtype:trojan-activity;sid:80967401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"tubiepornhub.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104300/; classtype:trojan-activity;sid:80967400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/012019/"; http_uri; depth:19; isdataat:!1,relative; content:"kisfino.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104299/; classtype:trojan-activity;sid:80967399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"locksmithhollywoodweb.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104298/; classtype:trojan-activity;sid:80967398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=gsshussf8sqmnjcxebn6onr5c8crbjguhl3lqusmhlnkowckb1cl2ttchwlkjykr-2fwssz7qlz-2bevp-2fg5-2fh4frq-3d-3d_felol2apnvw-2f26iod3okckxhdefkvyhp2sqyv-2fhwiygeewd-2fbjnzjexwfim9nvcl9hcb36ak68euzbonyfr0u2i4fdzujh-2fxa-2fe3cayxsojrsi9xcuxhfpj0vrb2gpjxcwbmc4yfbhknfmyjwzvi9bffkhmc-2fmwxrujxcy29of72xj4hrvkxjhmbdsq8gyqnqqpjzg8kr3vj9xoon0buvpxyqvyu8rrb3vh2smzamfq-3d/"; http_uri; depth:365; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104297/; classtype:trojan-activity;sid:80967397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=ifs9ztbgmqh-2bjxl9ptnymnqrgddybemhsml9ly5err-2bt9pg090dvqnl5b-2becoz-2fig16nxhqz12c5qgnmarm0na-3d-3d_i2gsobdljnvaau3jd8d4hbx3imwwolo9thjz1uoz-2b-2fhvbmqvbsp5qcjk4u-2b54zenzq1jlcjaowywcx4condftq-2fo3gk5ixjfdl08koejwvmn-2bytddyaxx-2bi2uzg7js2wfyi9pftyhtjyufkyb3d41lf3gruz9hqmfb75tlzjghb3-2f0s6jlpabznzbcdf15g49jb-2fsibxerset44n7r31ur7cedslqfy6vjo7mdjqi-2fc-3d/"; http_uri; depth:371; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104296/; classtype:trojan-activity;sid:80967396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=ifs9ztbgmqh-2bjxl9ptnymnqrgddybemhsml9ly5err-2bt9pg090dvqnl5b-2becoz-2fig16nxhqz12c5qgnmarm0na-3d-3d_o5avxp8blfgdp4x4xngd2kyyzhsf-2f7hklroirmesw-2bh9et29-2fptwhiiotkpq-2frogre03rhral-2f-2bpjg7lyfdtkbtadrtz0qr1hpum3azx03byshwxra3u4o9jyg50a5dcom7drm64bd7w1ai0lmmwrbiqfxfiwaxyxdt6kflsdl0fqi1ncfmr4hjbzsxe-2btlxwskbhbn68garzgkhthkc-2bggghlp0bevdyiqx4rltm7u-3d/"; http_uri; depth:369; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104295/; classtype:trojan-activity;sid:80967395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/012019"; http_uri; depth:37; isdataat:!1,relative; content:"healthsbouquet.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104294/; classtype:trojan-activity;sid:80967394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xrvvm3r_gsfzoene/"; http_uri; depth:18; isdataat:!1,relative; content:"kantova.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104293/; classtype:trojan-activity;sid:80967393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brg_4tb3uek0n/"; http_uri; depth:15; isdataat:!1,relative; content:"www.motoruitjes.nl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104292/; classtype:trojan-activity;sid:80967392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pnkax_fai9jc/"; http_uri; depth:14; isdataat:!1,relative; content:"radwomenbusinessowners.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104291/; classtype:trojan-activity;sid:80967391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ye09ujm_1tjzk_0/"; http_uri; depth:17; isdataat:!1,relative; content:"linkingphase.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104290/; classtype:trojan-activity;sid:80967390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9cbqqgip_ybdeleomn/"; http_uri; depth:20; isdataat:!1,relative; content:"intraelectronics.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104289/; classtype:trojan-activity;sid:80967389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wmfuxxu_bf8c_ccjhm/"; http_uri; depth:20; isdataat:!1,relative; content:"www.codienlanhnme.vn"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104288/; classtype:trojan-activity;sid:80967388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mfn6gsx_fcdqwb8/"; http_uri; depth:17; isdataat:!1,relative; content:"modern-autoparts.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104287/; classtype:trojan-activity;sid:80967387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qyrm-ld6_bzvb-u8z/inv/897231384/en/7-past-due-invoices/"; http_uri; depth:56; isdataat:!1,relative; content:"ar.caginerhastanesi.com.tr"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104286/; classtype:trojan-activity;sid:80967386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pxhnn-t0yc_ftwgcxirk-v5/comet/signs/payment/notification/01/16/2019/en_us/3-past-due-invoices/"; http_uri; depth:95; isdataat:!1,relative; content:"rastkultur.de"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104285/; classtype:trojan-activity;sid:80967385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xwmxp-qidi_svovmffa-n8/en_en/invoice-number-293599/"; http_uri; depth:52; isdataat:!1,relative; content:"www.wins-power.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104284/; classtype:trojan-activity;sid:80967384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ifpuj-m9_fmmir-mtb/ext/paymentstatus/en_en/invoices-overdue/"; http_uri; depth:61; isdataat:!1,relative; content:"www.islandeccsites.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104283/; classtype:trojan-activity;sid:80967383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_information/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"amritmachinerycorpn.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104282/; classtype:trojan-activity;sid:80967382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/01_19/"; http_uri; depth:22; isdataat:!1,relative; content:"www.comparto.com.br"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104281/; classtype:trojan-activity;sid:80967381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions-details/01_19/"; http_uri; depth:38; isdataat:!1,relative; content:"margatepanelbeaters.co.za"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104280/; classtype:trojan-activity;sid:80967380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wisest/hwid.exe"; http_uri; depth:16; isdataat:!1,relative; content:"23.249.173.202"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104279/; classtype:trojan-activity;sid:80967379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/documents/01_19/"; http_uri; depth:24; isdataat:!1,relative; content:"www.wholehealthcrew.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104278/; classtype:trojan-activity;sid:80967378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/documents/012019/"; http_uri; depth:25; isdataat:!1,relative; content:"www.ozawabag.shop"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104276/; classtype:trojan-activity;sid:80967376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"www.matchapai.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104275/; classtype:trojan-activity;sid:80967375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/attachments/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"thebitcoinengine.crownmanagers.com"; http_host; depth:34; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104274/; classtype:trojan-activity;sid:80967374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments/012019/"; http_uri; depth:27; isdataat:!1,relative; content:"sofathugian.vn"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104273/; classtype:trojan-activity;sid:80967373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgi-bin/amazon/en/messages/2019-01/"; http_uri; depth:36; isdataat:!1,relative; content:"mail.gigan.id"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104272/; classtype:trojan-activity;sid:80967372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_transactions/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"en.tag.ir"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104271/; classtype:trojan-activity;sid:80967371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/details/01_19/"; http_uri; depth:22; isdataat:!1,relative; content:"alkonaft007.top"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104270/; classtype:trojan-activity;sid:80967370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apgmh-p5_tvgsos-t2/en_us/invoice-33755029/"; http_uri; depth:43; isdataat:!1,relative; content:"waggrouponline.org"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104269/; classtype:trojan-activity;sid:80967369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tbpdh-5e6x_ktcpl-1j/inv/5972604980/en_us/invoice-receipt/"; http_uri; depth:58; isdataat:!1,relative; content:"tritonwoodworkers.org.au"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104268/; classtype:trojan-activity;sid:80967368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/watxg-elk6b_qxgs-wx/j36/invoicing/en/open-invoices/"; http_uri; depth:52; isdataat:!1,relative; content:"teamphgermany.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104267/; classtype:trojan-activity;sid:80967367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zwqp-zwr_rpdfhbnq-ld/ach/paymentinfo/us/new-order/"; http_uri; depth:51; isdataat:!1,relative; content:"tajiner.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104266/; classtype:trojan-activity;sid:80967366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xcgwn-wc1h_pwyj-wu/ext/paymentstatus/en_en/overdue-payment/"; http_uri; depth:60; isdataat:!1,relative; content:"songlinhtran.vn"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104265/; classtype:trojan-activity;sid:80967365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cvvwo-7t_dpa-52/60131/surveyquestionsen_us/invoice-for-you/"; http_uri; depth:60; isdataat:!1,relative; content:"nsktech.fr"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104264/; classtype:trojan-activity;sid:80967364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fbfd-8nmwx_lkgu-rm/ref/9728954851us_us/need-to-send-the-attachment/"; http_uri; depth:68; isdataat:!1,relative; content:"marsandbarzini.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104263/; classtype:trojan-activity;sid:80967363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/2019-01/"; http_uri; depth:24; isdataat:!1,relative; content:"www.themoonplease.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104262/; classtype:trojan-activity;sid:80967362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transactions/01_19/"; http_uri; depth:30; isdataat:!1,relative; content:"www.agentfox.io"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104261/; classtype:trojan-activity;sid:80967361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"turkishlanguagecourse.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104260/; classtype:trojan-activity;sid:80967360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"topablaze.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104259/; classtype:trojan-activity;sid:80967359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/01_19/"; http_uri; depth:31; isdataat:!1,relative; content:"thegablesofyorkcounty.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104258/; classtype:trojan-activity;sid:80967358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"receive.winss.es"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104257/; classtype:trojan-activity;sid:80967357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"razmolana.ir"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104256/; classtype:trojan-activity;sid:80967356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients_transactions/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"qualitybeverages.co.za"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104255/; classtype:trojan-activity;sid:80967355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8fotk26/amazon/en/documents/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"noviatour.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104254/; classtype:trojan-activity;sid:80967354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/details/012019/"; http_uri; depth:23; isdataat:!1,relative; content:"maverick-advisory.fr"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104253/; classtype:trojan-activity;sid:80967353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transaction_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"mahsew.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104252/; classtype:trojan-activity;sid:80967352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_messages/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"liveloan.eu"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104251/; classtype:trojan-activity;sid:80967351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/transaction_details/012019/"; http_uri; depth:38; isdataat:!1,relative; content:"healthsbouquet.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104250/; classtype:trojan-activity;sid:80967350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/2019-01/"; http_uri; depth:31; isdataat:!1,relative; content:"directsnel.nl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104249/; classtype:trojan-activity;sid:80967349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/01_19/"; http_uri; depth:22; isdataat:!1,relative; content:"diffenfabrics.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104248/; classtype:trojan-activity;sid:80967348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/clients/01_19/"; http_uri; depth:22; isdataat:!1,relative; content:"dekbedbedrukken.koffie-bekers.nl"; http_host; depth:32; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104247/; classtype:trojan-activity;sid:80967347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments_details/2019-01/"; http_uri; depth:33; isdataat:!1,relative; content:"azimut-volga.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104246/; classtype:trojan-activity;sid:80967346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xtrf-wwkf_yilncf-zo2/us/overdue-payment/"; http_uri; depth:41; isdataat:!1,relative; content:"www.oculista.com.br"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104245/; classtype:trojan-activity;sid:80967345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jztlu-mv_pnwyyahok-mk/invoicecodechanges/en_us/paid-invoice/"; http_uri; depth:61; isdataat:!1,relative; content:"sahlkaran.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104244/; classtype:trojan-activity;sid:80967344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hvfi-f8qxb_ptmhjmlja-hg/ref/249401426us/invoice-24326442/"; http_uri; depth:58; isdataat:!1,relative; content:"mufakkir.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104243/; classtype:trojan-activity;sid:80967343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/csstj-u4ug_orvouk-acd/ref/6260533274en_us/invoice/"; http_uri; depth:51; isdataat:!1,relative; content:"modalook.com.tr"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104242/; classtype:trojan-activity;sid:80967342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/decxr-jh5_ccmsmig-xr/invoice/us/service-report-0658/"; http_uri; depth:53; isdataat:!1,relative; content:"lokanou.webinview.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104241/; classtype:trojan-activity;sid:80967341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tbbfo-hl6vb_ysapdw-ksq/southwire/zoe24822138/en_en/invoice-for-v/d-01/16/2019/"; http_uri; depth:79; isdataat:!1,relative; content:"inventivesports.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104240/; classtype:trojan-activity;sid:80967340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wjrin-eo73j_fordhh-lou/ach/paymentinfo/us_us/service-invoice/"; http_uri; depth:62; isdataat:!1,relative; content:"etihadinnovation.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104239/; classtype:trojan-activity;sid:80967339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pszse-nom_fbiuf-8lb/047839/surveyquestionsus_us/question/"; http_uri; depth:58; isdataat:!1,relative; content:"demo.aspenleafenergy.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104238/; classtype:trojan-activity;sid:80967338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dpzq-t9dxb_enhwk-oc/invoicecodechanges/en_en/invoice-for-c/u-01/16/2019/"; http_uri; depth:73; isdataat:!1,relative; content:"como-consulting.be"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104237/; classtype:trojan-activity;sid:80967337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ghjvx-xihs_hj-17q/en_us/overdue-payment/"; http_uri; depth:41; isdataat:!1,relative; content:"avasri.ir"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104236/; classtype:trojan-activity;sid:80967336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntnm-z5t_iwwvz-alp/southwire/otb308513366/us_us/outstanding-invoices/"; http_uri; depth:70; isdataat:!1,relative; content:"altitudeevents.co.za"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104235/; classtype:trojan-activity;sid:80967335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/orders-details/012019/"; http_uri; depth:33; isdataat:!1,relative; content:"emiratesprefab.ae"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104234/; classtype:trojan-activity;sid:80967334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iti_0vuy_f13/"; http_uri; depth:14; isdataat:!1,relative; content:"denis-99bg.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104233/; classtype:trojan-activity;sid:80967333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ggv_ejwpcn/"; http_uri; depth:12; isdataat:!1,relative; content:"kosolve.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104232/; classtype:trojan-activity;sid:80967332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jyxxcv_82ibravt_k7nwl2nu/"; http_uri; depth:26; isdataat:!1,relative; content:"cardealersforbadcredit.net"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104231/; classtype:trojan-activity;sid:80967331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tro6fqd4_epbfymyjz/"; http_uri; depth:20; isdataat:!1,relative; content:"mercedeslangha.vn"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104230/; classtype:trojan-activity;sid:80967330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jko_vkzlyc_v1p6jev59/"; http_uri; depth:22; isdataat:!1,relative; content:"rdweb.ir"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104229/; classtype:trojan-activity;sid:80967329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vghcn-ms13_eodobv-apx/ach/paymentinfo/us/open-past-due-orders/"; http_uri; depth:63; isdataat:!1,relative; content:"iw.com.br"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104227/; classtype:trojan-activity;sid:80967327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/track/click/30927887/firstoptionstrading.comp=eyjzijoieuxwd0fwzg9ktdf6cfjprwtnluthrk5szfb3iiwidii6mswicci6intcinvcijozmdkynzg4nyxcinzcijoxlfwidxjsxci6xcjodhrwolxcxc9cxfwvzmlyc3rvchrpb25zdhjhzgluzy5jb21cxfwvburtti1drf9mdufkus03svxcxc9vuzg5xfxcl2ludm9py2luz1xcxc9vu1xcxc8wntmtnzatotm4mziyltg1mi0wntmtnzatotm4mziyltkxm1wilfwiawrcijpcimzkzwqwmtc3zmyzzjqwzwrizgjmy2i2njm1zwe0zjnkxcisxcj1cmxfawrzxci6w1win2rhmmm4mtiwnjkymdeymmyznzu1mgq4yze1y2ywzjyzmdbkm2e0yvwixx0ifq/"; http_uri; depth:462; isdataat:!1,relative; content:"mandrillapp.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104228/; classtype:trojan-activity;sid:80967328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bpsk-evob_syuodc-fw/southwire/fks561573287/en_en/need-to-send-the-attachment/"; http_uri; depth:78; isdataat:!1,relative; content:"gtp.usgtf.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104226/; classtype:trojan-activity;sid:80967326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/zxoaidow7376411/bestellungen/rechnungszahlung/"; http_uri; depth:53; isdataat:!1,relative; content:"djeffares.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104225/; classtype:trojan-activity;sid:80967325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/omcl-pyu_iufoy-vc4/invoice/7487/overpayment/en_us/invoice-receipt/"; http_uri; depth:67; isdataat:!1,relative; content:"www.lapontelloise.fr"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104224/; classtype:trojan-activity;sid:80967324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zvkvs-moo_ngld-qk/ext/paymentstatus/en_us/overdue-payment/"; http_uri; depth:59; isdataat:!1,relative; content:"i-deti.ru"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104223/; classtype:trojan-activity;sid:80967323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uxgji-5m_ntobsltbu-fkv/en_en/6-past-due-invoices/"; http_uri; depth:50; isdataat:!1,relative; content:"molloconsulting.co.za"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104222/; classtype:trojan-activity;sid:80967322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ylqm-fl2_j-eo/0168853/surveyquestionsen_en/question/"; http_uri; depth:53; isdataat:!1,relative; content:"etihadstartups.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104221/; classtype:trojan-activity;sid:80967321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ebgyi-ar21z_la-o5r/invoice/7541/overpayment/en_us/paid-invoice-credit-card-receipt/"; http_uri; depth:84; isdataat:!1,relative; content:"k.iepedacitodecielo.edu.co"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104220/; classtype:trojan-activity;sid:80967320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mdsn-cd_fuajq-7i/us89/invoicing/us/053-70-938322-852-053-70-938322-913/"; http_uri; depth:72; isdataat:!1,relative; content:"firstoptionstrading.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104219/; classtype:trojan-activity;sid:80967319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rzklf-byrdx_cerbzsf-dqq/ext/paymentstatus/en/invoice-3947016/"; http_uri; depth:62; isdataat:!1,relative; content:"anthinhland.onlinenhadat.net"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104218/; classtype:trojan-activity;sid:80967318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/zvikewoq1512050/rechnungskorrektur/details/"; http_uri; depth:50; isdataat:!1,relative; content:"odina-logistic.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104217/; classtype:trojan-activity;sid:80967317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ayjd-q1bif_cdgjh-fg/invoice/16523/overpayment/us/past-due-invoice/"; http_uri; depth:67; isdataat:!1,relative; content:"www.irsoradio.nl"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104216/; classtype:trojan-activity;sid:80967316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/otiy-0ux_dvlq-z2/invoice/65232159/en/outstanding-invoices/"; http_uri; depth:59; isdataat:!1,relative; content:"eirak.co"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104215/; classtype:trojan-activity;sid:80967315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ialrl-yo_a-cp/ach/paymentinfo/en_us/new-order/"; http_uri; depth:47; isdataat:!1,relative; content:"www.sos-secretariat.be"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104214/; classtype:trojan-activity;sid:80967314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/lebql-qjbk_ybdimyai-bqt/paymentstatus/us_us/past-due-invoices/"; http_uri; depth:82; isdataat:!1,relative; content:"altovahealthcare.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104213/; classtype:trojan-activity;sid:80967313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fbkvd-wz4nv_fqjtk-tc/sb82/invoicing/us/scan/"; http_uri; depth:45; isdataat:!1,relative; content:"doctor.fpik.ub.ac.id"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104212/; classtype:trojan-activity;sid:80967312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/drizicti7514162/rechnungs-docs/rech/"; http_uri; depth:43; isdataat:!1,relative; content:"itp25.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104211/; classtype:trojan-activity;sid:80967311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/clients_transactions/012019/"; http_uri; depth:39; isdataat:!1,relative; content:"irsoradio.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104210/; classtype:trojan-activity;sid:80967310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/information/2019-01/"; http_uri; depth:28; isdataat:!1,relative; content:"old.copyrightessentials.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104209/; classtype:trojan-activity;sid:80967309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"83.40.11.203"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104208/; classtype:trojan-activity;sid:80967308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"62.83.253.78"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104207/; classtype:trojan-activity;sid:80967307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"189.69.124.217"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104206/; classtype:trojan-activity;sid:80967306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/620315789.exe"; http_uri; depth:19; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104205/; classtype:trojan-activity;sid:80967305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/65098771.exe"; http_uri; depth:18; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104204/; classtype:trojan-activity;sid:80967304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/r/osnot"; http_uri; depth:8; isdataat:!1,relative; content:"paste.ee"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104203/; classtype:trojan-activity;sid:80967303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/12059789.exe"; http_uri; depth:18; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104202/; classtype:trojan-activity;sid:80967302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/htpdho.jpg"; http_uri; depth:17; isdataat:!1,relative; content:"idontknow.moe"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104196/; classtype:trojan-activity;sid:80967296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/messages/01_19/"; http_uri; depth:23; isdataat:!1,relative; content:"infographiemt.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104195/; classtype:trojan-activity;sid:80967295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"welna.comau"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104194/; classtype:trojan-activity;sid:80967294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/errordocs/style/ssj.jpg"; http_uri; depth:24; isdataat:!1,relative; content:"unixfit.moscow"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104193/; classtype:trojan-activity;sid:80967293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/012019"; http_uri; depth:24; isdataat:!1,relative; content:"rahkarinoo.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104192/; classtype:trojan-activity;sid:80967292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/01_19/"; http_uri; depth:18; isdataat:!1,relative; content:"armazem55.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104191/; classtype:trojan-activity;sid:80967291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders_details/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"drinkdirect.co.uk"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104190/; classtype:trojan-activity;sid:80967290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fxxkv-btxqs_pohym-7ee/ext/paymentstatus/en_en/paid-invoice-credit-card-receipt/"; http_uri; depth:80; isdataat:!1,relative; content:"nghiataman.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104189/; classtype:trojan-activity;sid:80967289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"jhelt.net"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104188/; classtype:trojan-activity;sid:80967288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/transactions-details/2019-01/"; http_uri; depth:37; isdataat:!1,relative; content:"atlon.ml"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104187/; classtype:trojan-activity;sid:80967287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/amazon/en/information/2019-01/"; http_uri; depth:50; isdataat:!1,relative; content:"bakerykervan.godohosting.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104186/; classtype:trojan-activity;sid:80967286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/payments/012019/"; http_uri; depth:24; isdataat:!1,relative; content:"welna.com.au"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104185/; classtype:trojan-activity;sid:80967285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"zidanmeubel.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104184/; classtype:trojan-activity;sid:80967284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/01_19/"; http_uri; depth:34; isdataat:!1,relative; content:"7seotools.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104183/; classtype:trojan-activity;sid:80967283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qtwm-favh_vjosz-xu/southwire/kwp644293513/us/scan/"; http_uri; depth:51; isdataat:!1,relative; content:"camisariaalianca.com.br"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104182/; classtype:trojan-activity;sid:80967282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cfjy-2q9i_yq-se/comet/signs/payment/notification/01/16/2019/en/open-past-due-orders/"; http_uri; depth:85; isdataat:!1,relative; content:"advustech.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104181/; classtype:trojan-activity;sid:80967281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/blog/upload/xxvi-m0_ifxlbafq-ep/b59/invoicing/en/inv-370016-po-3v695093/"; http_uri; depth:73; isdataat:!1,relative; content:"askhenry.co.uk"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104180/; classtype:trojan-activity;sid:80967280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/igny-ki_sfubifsg-x3f/invoice/93695/overpayment/en_en/outstanding-invoices/"; http_uri; depth:75; isdataat:!1,relative; content:"dev.umasterov.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104179/; classtype:trojan-activity;sid:80967279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"www.web.pa-cirebon.go.id"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104178/; classtype:trojan-activity;sid:80967278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hofb-8tqh_dlciran-dos/inv/13307forpo/5465530477/us/outstanding-invoices/"; http_uri; depth:73; isdataat:!1,relative; content:"drapart.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104177/; classtype:trojan-activity;sid:80967277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qliw-kbzr_sqfpdoo-uh/invoice/us/service-report-52060/"; http_uri; depth:54; isdataat:!1,relative; content:"dailylinhkien.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104176/; classtype:trojan-activity;sid:80967276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/ekjbebdm9854776/dokumente/rechnungsanschrift/"; http_uri; depth:52; isdataat:!1,relative; content:"tunerg.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104175/; classtype:trojan-activity;sid:80967275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/onrmqgd6150428/rechnungskorrektur/rechnungsanschrift/"; http_uri; depth:60; isdataat:!1,relative; content:"tumbleweedlabs.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104174/; classtype:trojan-activity;sid:80967274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"www.forumcearensedecbh.com.br"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104173/; classtype:trojan-activity;sid:80967273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/tbtfwhxexu1672337/ger/rechnungsanschrift/"; http_uri; depth:48; isdataat:!1,relative; content:"take-one2.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104172/; classtype:trojan-activity;sid:80967272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"inspek.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104171/; classtype:trojan-activity;sid:80967271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"www.csbhaj.com.br"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104170/; classtype:trojan-activity;sid:80967270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"carmennel.co.za"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104169/; classtype:trojan-activity;sid:80967269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/rmrqxubu0844374/de_de/rechnungszahlung/"; http_uri; depth:46; isdataat:!1,relative; content:"pinaster.pl"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104168/; classtype:trojan-activity;sid:80967268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/rmrqxubu0844374/de_de/rechnungszahlung"; http_uri; depth:45; isdataat:!1,relative; content:"pinaster.pl"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104167/; classtype:trojan-activity;sid:80967267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/turkishtours.exe"; http_uri; depth:17; isdataat:!1,relative; content:"jpatela.pt"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104166/; classtype:trojan-activity;sid:80967266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/v1/plugins/media/getdataavk.exe"; http_uri; depth:32; isdataat:!1,relative; content:"www.cnim.mx"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104165/; classtype:trojan-activity;sid:80967265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/payments_details/012019/"; http_uri; depth:35; isdataat:!1,relative; content:"bluepalm.tech"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104163/; classtype:trojan-activity;sid:80967263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/en/information/01_19/"; http_uri; depth:29; isdataat:!1,relative; content:"voldprotekt.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104162/; classtype:trojan-activity;sid:80967262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/orders-details/012019/"; http_uri; depth:30; isdataat:!1,relative; content:"leonardokubrick.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104161/; classtype:trojan-activity;sid:80967261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"jameshunt.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104160/; classtype:trojan-activity;sid:80967260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"casetime.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104159/; classtype:trojan-activity;sid:80967259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"xn--80apaabfhzk7a5ck.xn--p1ai"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104158/; classtype:trojan-activity;sid:80967258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"ghayati.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104157/; classtype:trojan-activity;sid:80967257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/amazon/messages/01_19/"; http_uri; depth:23; isdataat:!1,relative; content:"cnywebservice.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104156/; classtype:trojan-activity;sid:80967256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/01_19/"; http_uri; depth:18; isdataat:!1,relative; content:"broadnepalnews.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104155/; classtype:trojan-activity;sid:80967255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=otiuwt24twivg7t4ijgyrrtynfgykd-2ff6irpjg6zo-2fsemfluieitzdpturrjhgh-2fgmqbi4llfhtwzc4tgl2eiw-3d-3d_nozzatl5gjyhlghxx205epve5qynynplwjedafizlsussk1rw1ymlcha1ljgdkutegftob-2ferk-2fhex0yawmxst398tikyf6khg5-2bmxqnh2b4f2yocyxau6-2bhvfzp3m9sgqd-2byl3bbhgcvnkdi38tofkjbzlbssoulebi3h-2f1d3ip8rjbplxc0cce7grghxxgnatr-2btmgdeimfrq8db1iee-2bcz9cs-2baiodabumlot73u-3d/"; http_uri; depth:369; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104154/; classtype:trojan-activity;sid:80967254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"katyremodelingpros.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104153/; classtype:trojan-activity;sid:80967253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/rechnungen/01_19/"; http_uri; depth:37; isdataat:!1,relative; content:"amerigau.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104152/; classtype:trojan-activity;sid:80967252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/012019/"; http_uri; depth:19; isdataat:!1,relative; content:"test2.flyingsteel.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104151/; classtype:trojan-activity;sid:80967251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vnc32.rar"; http_uri; depth:10; isdataat:!1,relative; content:"194.76.225.10"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104150/; classtype:trojan-activity;sid:80967250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vnc64.rar"; http_uri; depth:10; isdataat:!1,relative; content:"194.76.225.10"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104149/; classtype:trojan-activity;sid:80967249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/health/problem.eml"; http_uri; depth:19; isdataat:!1,relative; content:"retoast.org"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104148/; classtype:trojan-activity;sid:80967248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/:u:/g/personal/kwells_afjv_com_au/ezc8zddxcntglqhxe7tr-v8bnqwp7qfccsvjy7zr4j1hkqe=g1du0v|26|download=1"; http_uri; depth:103; isdataat:!1,relative; content:"afjv-my.sharepoint.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104147/; classtype:trojan-activity;sid:80967247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/:u:/g/personal/jim_malbac_com_au/eei9ssbalvhbihxikdd3ihubz_0-4wkruqzgluekfmgurwe=bzc4z1|26|download=1"; http_uri; depth:102; isdataat:!1,relative; content:"malbacptyltd-my.sharepoint.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104146/; classtype:trojan-activity;sid:80967246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"220.135.76.199"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104145/; classtype:trojan-activity;sid:80967245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/bizworx/images/sserv.jpg"; http_uri; depth:43; isdataat:!1,relative; content:"www.michiganmastereltiempo.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104144/; classtype:trojan-activity;sid:80967244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/st17gg/ssmk1501.exe"; http_uri; depth:20; isdataat:!1,relative; content:"fribola.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104143/; classtype:trojan-activity;sid:80967243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1fz_1d4et_xleeo1aao/"; http_uri; depth:21; isdataat:!1,relative; content:"tariu.gogloba.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104142/; classtype:trojan-activity;sid:80967242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hhtb_gynux2nw/"; http_uri; depth:15; isdataat:!1,relative; content:"mail.m2-sac.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104141/; classtype:trojan-activity;sid:80967241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/c32vyd0_2lrb_qpets/"; http_uri; depth:20; isdataat:!1,relative; content:"www.elcodrilling.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104140/; classtype:trojan-activity;sid:80967240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/djxu_xhq4et9b_kds/"; http_uri; depth:19; isdataat:!1,relative; content:"lakewoods.net"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104139/; classtype:trojan-activity;sid:80967239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mfn6gsx_fcdqwb8/"; http_uri; depth:17; isdataat:!1,relative; content:"www.modern-autoparts.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104138/; classtype:trojan-activity;sid:80967238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/vacaciones/content/ssj.jpg"; http_uri; depth:45; isdataat:!1,relative; content:"vacacionespuntacana.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104137/; classtype:trojan-activity;sid:80967237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentynineteen/fonts/sserv.jpg"; http_uri; depth:49; isdataat:!1,relative; content:"expeditionabroad.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104136/; classtype:trojan-activity;sid:80967236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jst4rs00/jsmk14011.exe"; http_uri; depth:23; isdataat:!1,relative; content:"fribola.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104135/; classtype:trojan-activity;sid:80967235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/template-parts/footer/sserv.jpg"; http_uri; depth:66; isdataat:!1,relative; content:"laconcernedparents.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104134/; classtype:trojan-activity;sid:80967234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/oyagwvn8100931/scan/doc/"; http_uri; depth:31; isdataat:!1,relative; content:"ipeople.vn"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104133/; classtype:trojan-activity;sid:80967233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/drupal-6.15/sites/default/files/de_de/wuilsxvjv9707369/rechnungs/rechnungszahlung/"; http_uri; depth:83; isdataat:!1,relative; content:"gunk.insol.be"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104132/; classtype:trojan-activity;sid:80967232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/drizicti7514162/rechnungs-docs/rech/"; http_uri; depth:43; isdataat:!1,relative; content:"itp25.com"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104131/; classtype:trojan-activity;sid:80967231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/pdyikwot9286173/rechnung/rechnung/"; http_uri; depth:41; isdataat:!1,relative; content:"oceangate.parkhomes.vn"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104130/; classtype:trojan-activity;sid:80967230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pvazyrr9694081/de/doc/"; http_uri; depth:23; isdataat:!1,relative; content:"homeafrica.co.tz"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104129/; classtype:trojan-activity;sid:80967229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vdtdcc2636944/scan/rechnungszahlung/"; http_uri; depth:37; isdataat:!1,relative; content:"bem.hukum.ub.ac.id"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104128/; classtype:trojan-activity;sid:80967228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/ltruafmy3068566/de/fakturierung/"; http_uri; depth:39; isdataat:!1,relative; content:"runtah.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104127/; classtype:trojan-activity;sid:80967227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/ucuordyij7907481/dokumente/doc-dokument/"; http_uri; depth:44; isdataat:!1,relative; content:"admaacademy.sk"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104126/; classtype:trojan-activity;sid:80967226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/jtdvkbxwvk9581104/rechnungs-details/zahlung/"; http_uri; depth:51; isdataat:!1,relative; content:"hmao.planetasvet.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104125/; classtype:trojan-activity;sid:80967225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zynjl-dy0pu_dlhk-vtp/ach/paymentinfo/us/open-past-due-orders/"; http_uri; depth:62; isdataat:!1,relative; content:"www.needrelax.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104124/; classtype:trojan-activity;sid:80967224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/pkyway5135149/de/details/"; http_uri; depth:37; isdataat:!1,relative; content:"ipf-isol.pt"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104123/; classtype:trojan-activity;sid:80967223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/pozhzux7044772/gescanntes-dokument/rechnungsanschrift/"; http_uri; depth:61; isdataat:!1,relative; content:"thebitcoinengine.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104122/; classtype:trojan-activity;sid:80967222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dnhktrwbsr0640557/dokumente/zahlungserinnerung/"; http_uri; depth:48; isdataat:!1,relative; content:"b2b.supernova.com.tr"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104121/; classtype:trojan-activity;sid:80967221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/veevgmo4349541/ger/rech/"; http_uri; depth:31; isdataat:!1,relative; content:"old.tsn-shato.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104120/; classtype:trojan-activity;sid:80967220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/rxaijf6696778/scan/rechnung/"; http_uri; depth:32; isdataat:!1,relative; content:"yjwan77.dothome.co.kr"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104119/; classtype:trojan-activity;sid:80967219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lisss-kwd2a_vzgvirzzv-sbh/southwire/gxw3822620926/en/new-order/"; http_uri; depth:64; isdataat:!1,relative; content:"mail.komunalservice.am"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104118/; classtype:trojan-activity;sid:80967218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/ojlfhp4792745/rechnungs-details/rechnung/"; http_uri; depth:48; isdataat:!1,relative; content:"tver.planetasvet.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104117/; classtype:trojan-activity;sid:80967217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brxkq-r2rsj_pbqikmby-fd/paymentstatus/en/invoice-for-you/"; http_uri; depth:58; isdataat:!1,relative; content:"wordpress-147603-423492.cloudwaysapps.com"; http_host; depth:41; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104116/; classtype:trojan-activity;sid:80967216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rpav-scj_mp-lrb/invoice/us/open-past-due-orders/"; http_uri; depth:49; isdataat:!1,relative; content:"mange-gode-blogs.dk"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104115/; classtype:trojan-activity;sid:80967215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/januar2019/tadttdkk5244246/de/rechnungsanschrift/"; http_uri; depth:59; isdataat:!1,relative; content:"cbc-platform.org"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104114/; classtype:trojan-activity;sid:80967214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/envo-magazine/template-parts/sserv.jpg"; http_uri; depth:57; isdataat:!1,relative; content:"significadoswords.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104113/; classtype:trojan-activity;sid:80967213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/stgbr/smk1401.exe"; http_uri; depth:18; isdataat:!1,relative; content:"fribola.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104112/; classtype:trojan-activity;sid:80967212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/client64.bin"; http_uri; depth:13; isdataat:!1,relative; content:"185.189.149.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104111/; classtype:trojan-activity;sid:80967211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/client32.bin"; http_uri; depth:13; isdataat:!1,relative; content:"185.189.149.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104110/; classtype:trojan-activity;sid:80967210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/az.rar"; http_uri; depth:7; isdataat:!1,relative; content:"185.189.149.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104109/; classtype:trojan-activity;sid:80967209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mkcdniehfurg.pngbg=it01"; http_uri; depth:24; isdataat:!1,relative; content:"help.postsupport.net"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104108/; classtype:trojan-activity;sid:80967208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/vacaciones/content/sserv.jpg"; http_uri; depth:47; isdataat:!1,relative; content:"vacacionespuntacana.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104107/; classtype:trojan-activity;sid:80967207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/inc/sserv.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"hotrosieunhanh.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104106/; classtype:trojan-activity;sid:80967206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xzlolfnssf/"; http_uri; depth:12; isdataat:!1,relative; content:"kids-education-support.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104105/; classtype:trojan-activity;sid:80967205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tvprrkdt/"; http_uri; depth:10; isdataat:!1,relative; content:"mimiabner.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104104/; classtype:trojan-activity;sid:80967204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wmk5xming/"; http_uri; depth:11; isdataat:!1,relative; content:"leptokurtosis.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104103/; classtype:trojan-activity;sid:80967203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wk0mdrvgzw/"; http_uri; depth:12; isdataat:!1,relative; content:"evoqueart.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104102/; classtype:trojan-activity;sid:80967202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cjf6hpn7/"; http_uri; depth:10; isdataat:!1,relative; content:"www.odesagroup.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104101/; classtype:trojan-activity;sid:80967201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"improve-it.uy"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104100/; classtype:trojan-activity;sid:80967200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/rechnungen/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"ojoquesecasan.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104099/; classtype:trojan-activity;sid:80967199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"antigua.aguilarnoticias.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104098/; classtype:trojan-activity;sid:80967198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"lap-mang-vnpt.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104097/; classtype:trojan-activity;sid:80967197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"jongewolf.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104096/; classtype:trojan-activity;sid:80967196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"binderdate.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104095/; classtype:trojan-activity;sid:80967195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"jasonpatzfahl.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104094/; classtype:trojan-activity;sid:80967194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"ftp.barcelonahealthy.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104093/; classtype:trojan-activity;sid:80967193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"ppengenharia.com.br"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104092/; classtype:trojan-activity;sid:80967192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"yandexalfa.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104091/; classtype:trojan-activity;sid:80967191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"ufa.planetasvet.ru"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104090/; classtype:trojan-activity;sid:80967190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/012019/"; http_uri; depth:19; isdataat:!1,relative; content:"bozziro.ir"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104089/; classtype:trojan-activity;sid:80967189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"reinhardtengelbrecht.co.za"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104088/; classtype:trojan-activity;sid:80967188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"statybosteise.lt"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104087/; classtype:trojan-activity;sid:80967187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"www.brasileiras.pt"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104086/; classtype:trojan-activity;sid:80967186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"mahin-news.ir"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104085/; classtype:trojan-activity;sid:80967185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"sugar.islandeccsites.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104084/; classtype:trojan-activity;sid:80967184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"lagbag.it"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104083/; classtype:trojan-activity;sid:80967183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tjb189/jsmk1401.exe"; http_uri; depth:20; isdataat:!1,relative; content:"fribola.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104082/; classtype:trojan-activity;sid:80967182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/bizworx/images/sserv.jpg"; http_uri; depth:43; isdataat:!1,relative; content:"michiganmastereltiempo.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104081/; classtype:trojan-activity;sid:80967181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/man.exe"; http_uri; depth:8; isdataat:!1,relative; content:"derrysmith.5gbfree.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104080/; classtype:trojan-activity;sid:80967180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/dftphaqll6932712/de/rech/"; http_uri; depth:37; isdataat:!1,relative; content:"saintjohnscba.com.ar"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104079/; classtype:trojan-activity;sid:80967179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docropool.exe"; http_uri; depth:14; isdataat:!1,relative; content:"a46.bulehero.in"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104078/; classtype:trojan-activity;sid:80967178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/0321124001547570957/ups-delivery-notification-1z074y0a0390613255_2019-01-15_19-44%281%29.zip|26|rpsnv=83fdc3407ccf68718bfb9aaddefa7cc0e40529db"; http_uri; depth:149; isdataat:!1,relative; content:"dw.convertfiles.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104077/; classtype:trojan-activity;sid:80967177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binderkvasa.exe"; http_uri; depth:16; isdataat:!1,relative; content:"binderkvasa.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104076/; classtype:trojan-activity;sid:80967176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/efflwcz2157103/de_de/fakturierung"; http_uri; depth:37; isdataat:!1,relative; content:"thelivingstonfamily.net"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104075/; classtype:trojan-activity;sid:80967175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/obsmqo8348602/dokumente/zahlung/"; http_uri; depth:36; isdataat:!1,relative; content:"vakschoenmakerijbolle.nl"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104074/; classtype:trojan-activity;sid:80967174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/obsmqo8348602/dokumente/zahlung"; http_uri; depth:35; isdataat:!1,relative; content:"vakschoenmakerijbolle.nl"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104073/; classtype:trojan-activity;sid:80967173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/template-parts/footer/ssj.jpg"; http_uri; depth:64; isdataat:!1,relative; content:"laconcernedparents.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104072/; classtype:trojan-activity;sid:80967172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/st15/smk1501.exe"; http_uri; depth:17; isdataat:!1,relative; content:"fribola.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104071/; classtype:trojan-activity;sid:80967171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/111x.exe"; http_uri; depth:14; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104070/; classtype:trojan-activity;sid:80967170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/2201578901.exe"; http_uri; depth:20; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104069/; classtype:trojan-activity;sid:80967169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/vacaciones/admin/core/ssj.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"vacacionespuntacana.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104068/; classtype:trojan-activity;sid:80967168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/ssj.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"essou9.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104067/; classtype:trojan-activity;sid:80967167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/whoj/gasby.exe"; http_uri; depth:15; isdataat:!1,relative; content:"supportwip.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104066/; classtype:trojan-activity;sid:80967166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dendrocloud/download/dendrocloud_1_47.zip"; http_uri; depth:42; isdataat:!1,relative; content:"gis.tuzvo.sk"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104065/; classtype:trojan-activity;sid:80967165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fdutnyoqjz5768806/scan/zahlungserinnerung/"; http_uri; depth:43; isdataat:!1,relative; content:"www.ongeveergratis.nl"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104064/; classtype:trojan-activity;sid:80967164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cwde-recet_fnjnrplj-39g/3612847/surveyquestionsus_us/past-due-invoices/"; http_uri; depth:72; isdataat:!1,relative; content:"outdoorhikingtrek.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104063/; classtype:trojan-activity;sid:80967163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/nuiqfyx6511712/bestellungen/rechnungszahlung/"; http_uri; depth:49; isdataat:!1,relative; content:"web.pa-cirebon.go.id"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104062/; classtype:trojan-activity;sid:80967162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/vjdcnoin0671082/dokumente/rechnung/"; http_uri; depth:42; isdataat:!1,relative; content:"shlifovka.by"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104061/; classtype:trojan-activity;sid:80967161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/hjcifkkg7114659/rechnungs-details/fakturierung/"; http_uri; depth:51; isdataat:!1,relative; content:"sosh47.citycheb.ru"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104060/; classtype:trojan-activity;sid:80967160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/yvamigfxt1441342/rechnungs-details/details/"; http_uri; depth:50; isdataat:!1,relative; content:"therxreview.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104059/; classtype:trojan-activity;sid:80967159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/efflwcz2157103/de_de/fakturierung/"; http_uri; depth:38; isdataat:!1,relative; content:"thelivingstonfamily.net"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104058/; classtype:trojan-activity;sid:80967158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/vtvkauwc3556017/rechnung/rech/"; http_uri; depth:37; isdataat:!1,relative; content:"stoutarc.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104057/; classtype:trojan-activity;sid:80967157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"elsgroup.mk"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104056/; classtype:trojan-activity;sid:80967156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/012019/"; http_uri; depth:19; isdataat:!1,relative; content:"hidrofire.greenstudio.co"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104055/; classtype:trojan-activity;sid:80967155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"www.xn--d1albnc.xn--p1ai"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104054/; classtype:trojan-activity;sid:80967154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"novo.cotia.sp.gov.br"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104053/; classtype:trojan-activity;sid:80967153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=amikyxv2mtziwfvrkserjzcerhghnhk0s0eympuehut-2fwmsfcsopdghsy9fdl6-2bvsj8deefwcvglqbvvss05mvdl3zk4-2fjzq-2borjxuckzdq-3d_ofleguaja-2bclqfdphyxnpp81vipfqp882xgi-2fmckpe1fq-2bu2ng9v-2bclgzka-2fiq1gejg8mxbtq1ijfkkee-2bmb3-2bpkozpydoua0kssnint-2bnre8xxvkauygwavsuvzayoddb7lmonuaxgipmxaqchvedueqoagspk8yn6wbkgoaxgxocz1-2fv7mljdjynqmv04jmzj0kzflkxa4wptxq4g5c8foldb9iaaezwvpudn5qx0-3d/"; http_uri; depth:389; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104052/; classtype:trojan-activity;sid:80967152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/01_19/"; http_uri; depth:18; isdataat:!1,relative; content:"tunerg.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104051/; classtype:trojan-activity;sid:80967151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"regenerationcongo.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104050/; classtype:trojan-activity;sid:80967150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"zentera93.de"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104049/; classtype:trojan-activity;sid:80967149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"moefelt.dk"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104048/; classtype:trojan-activity;sid:80967148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/plesk-stat/rechnung/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"noplu.de"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104047/; classtype:trojan-activity;sid:80967147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnung/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"toshitakahashi.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104046/; classtype:trojan-activity;sid:80967146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/01_19/"; http_uri; depth:18; isdataat:!1,relative; content:"www.rossiodontologia.com.br"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104045/; classtype:trojan-activity;sid:80967145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/01_19/"; http_uri; depth:18; isdataat:!1,relative; content:"mywebnerd.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104044/; classtype:trojan-activity;sid:80967144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungen/01_19/"; http_uri; depth:18; isdataat:!1,relative; content:"www.reparaties-ipad.nl"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104043/; classtype:trojan-activity;sid:80967143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/urla=http://www.lagis.com.tw/ktpf-fc8pm_hexxiuk-hwe/clients_messages/012019|26|c=e1i65uf2kqljndm8haeliklq0ipvats29x7_zplt3ftcwt7nmpwlnmylwknhrh6r2cdw92srjlzxpygjt37nor2tlvqpfrhwfnnl4fqgte4rm|26|typo=1/"; http_uri; depth:202; isdataat:!1,relative; content:"linkprotect.cudasvc.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104042/; classtype:trojan-activity;sid:80967142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"zeelearn.co"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104041/; classtype:trojan-activity;sid:80967141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"allinautomatic.allinautomatic.nl"; http_host; depth:32; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104040/; classtype:trojan-activity;sid:80967140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/bizworx/images/ssj.jpg"; http_uri; depth:41; isdataat:!1,relative; content:"www.michiganmastereltiempo.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104039/; classtype:trojan-activity;sid:80967139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/devita/page-templates/ssj.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"www.kwalityzns.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104038/; classtype:trojan-activity;sid:80967138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/template-parts/footer/ssj.jpg"; http_uri; depth:64; isdataat:!1,relative; content:"laconcernedparents.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104037/; classtype:trojan-activity;sid:80967137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/envo-magazine/template-parts/ssj.jpg"; http_uri; depth:55; isdataat:!1,relative; content:"significadoswords.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104036/; classtype:trojan-activity;sid:80967136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyseventeen/inc/ssj.jpg"; http_uri; depth:46; isdataat:!1,relative; content:"hotrosieunhanh.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104035/; classtype:trojan-activity;sid:80967135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentynineteen/fonts/ssj.jpg"; http_uri; depth:47; isdataat:!1,relative; content:"expeditionabroad.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104034/; classtype:trojan-activity;sid:80967134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/sserv.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"lemon-remodeling.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104033/; classtype:trojan-activity;sid:80967133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/eddyreport.hta"; http_uri; depth:20; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104032/; classtype:trojan-activity;sid:80967132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/25087410.exe"; http_uri; depth:18; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104031/; classtype:trojan-activity;sid:80967131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/meditation/css/ssj.jpg"; http_uri; depth:41; isdataat:!1,relative; content:"mitsubishijogjaklaten.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104030/; classtype:trojan-activity;sid:80967130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qcpdit_ln2ip6fhd/"; http_uri; depth:18; isdataat:!1,relative; content:"yogaspaceme.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104029/; classtype:trojan-activity;sid:80967129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"thepuffingtonhost.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104028/; classtype:trojan-activity;sid:80967128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kalon.arm7"; http_uri; depth:16; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104027/; classtype:trojan-activity;sid:80967127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kalon.i686"; http_uri; depth:16; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104026/; classtype:trojan-activity;sid:80967126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kalon.mips"; http_uri; depth:16; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104025/; classtype:trojan-activity;sid:80967125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/plugins/user/profile/profiles/tds%20challan.zip"; http_uri; depth:48; isdataat:!1,relative; content:"www.achat-or-rennes.fr"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104024/; classtype:trojan-activity;sid:80967124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/scripts/css/tax%20payment%20challan.zip"; http_uri; depth:40; isdataat:!1,relative; content:"dynamictechnologies.in"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104023/; classtype:trojan-activity;sid:80967123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bvc/tax%20payment%20challan.zip"; http_uri; depth:32; isdataat:!1,relative; content:"superiorsystems.co.in"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104022/; classtype:trojan-activity;sid:80967122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/plugins/user/profile/tds%20challan.zip"; http_uri; depth:39; isdataat:!1,relative; content:"www.achat-or-rennes.fr"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104021/; classtype:trojan-activity;sid:80967121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xineapple/wp-admin/maint/p1863567.exe"; http_uri; depth:38; isdataat:!1,relative; content:"www.myvcart.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104020/; classtype:trojan-activity;sid:80967120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kalon.mpsl"; http_uri; depth:16; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104019/; classtype:trojan-activity;sid:80967119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kalon.ppc"; http_uri; depth:15; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104018/; classtype:trojan-activity;sid:80967118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kalon.x86"; http_uri; depth:15; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104017/; classtype:trojan-activity;sid:80967117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/drop/css/obr.hta"; http_uri; depth:17; isdataat:!1,relative; content:"www.myvcart.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104016/; classtype:trojan-activity;sid:80967116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tk.exe"; http_uri; depth:7; isdataat:!1,relative; content:"qashdgs.ml"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104015/; classtype:trojan-activity;sid:80967115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sop.exe"; http_uri; depth:8; isdataat:!1,relative; content:"qashdgs.ml"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104014/; classtype:trojan-activity;sid:80967114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nest.exe"; http_uri; depth:9; isdataat:!1,relative; content:"qashdgs.ml"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104013/; classtype:trojan-activity;sid:80967113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kelz.exe"; http_uri; depth:9; isdataat:!1,relative; content:"qashdgs.ml"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104012/; classtype:trojan-activity;sid:80967112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ipadz.exe"; http_uri; depth:10; isdataat:!1,relative; content:"qashdgs.ml"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104011/; classtype:trojan-activity;sid:80967111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ebu.exe"; http_uri; depth:8; isdataat:!1,relative; content:"qashdgs.ml"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104010/; classtype:trojan-activity;sid:80967110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/9110378.exe"; http_uri; depth:17; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104009/; classtype:trojan-activity;sid:80967109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgii/felixreport.hta"; http_uri; depth:21; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104008/; classtype:trojan-activity;sid:80967108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"61.56.180.28"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104007/; classtype:trojan-activity;sid:80967107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"222.119.40.240"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104006/; classtype:trojan-activity;sid:80967106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"114.34.109.34"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104005/; classtype:trojan-activity;sid:80967105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"76.89.234.82"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104004/; classtype:trojan-activity;sid:80967104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kalon.arm5"; http_uri; depth:16; isdataat:!1,relative; content:"185.244.25.114"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104003/; classtype:trojan-activity;sid:80967103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xhdjpb_0sihee1v_ualfk2/"; http_uri; depth:24; isdataat:!1,relative; content:"www.sp11dzm.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104002/; classtype:trojan-activity;sid:80967102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tslcbppp_ywvhz7_wqmr/"; http_uri; depth:22; isdataat:!1,relative; content:"igloo-formation.fr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104001/; classtype:trojan-activity;sid:80967101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wnfyasys_mslz/"; http_uri; depth:15; isdataat:!1,relative; content:"aramanfood.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104000/; classtype:trojan-activity;sid:80967100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vzzmi_cpjz/"; http_uri; depth:12; isdataat:!1,relative; content:"otohondavungtau.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103999/; classtype:trojan-activity;sid:80967099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2bc_1ahp6fkbd/"; http_uri; depth:15; isdataat:!1,relative; content:"qwatmos.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103998/; classtype:trojan-activity;sid:80967098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vajlo-pta9c_obhskw-wz/inv/0546376forpo/0793060258/en_en/sales-invoice/"; http_uri; depth:71; isdataat:!1,relative; content:"kamdhenu.technoexam.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103997/; classtype:trojan-activity;sid:80967097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nfpf-1wt_ueyoen-ps/ext/paymentstatus/en_en/invoices-overdue/"; http_uri; depth:61; isdataat:!1,relative; content:"en.dejpodsanatsazeh.co.ir"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103996/; classtype:trojan-activity;sid:80967096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lfcf-6ih_uvlhkqzmn-68/invoices/6298/50669/en_us/invoice-for-d/e-01/16/2019/"; http_uri; depth:76; isdataat:!1,relative; content:"jaspinformatica.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103995/; classtype:trojan-activity;sid:80967095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"innio.biz"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103994/; classtype:trojan-activity;sid:80967094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"mail.estysegal.co.il"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103993/; classtype:trojan-activity;sid:80967093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wceks-001p_hzjsovbx-fgz/invoicecodechanges/us/overdue-payment/"; http_uri; depth:63; isdataat:!1,relative; content:"tafftanzania.or.tz"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103992/; classtype:trojan-activity;sid:80967092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"sabugoventures.co.ke"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103991/; classtype:trojan-activity;sid:80967091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/naze-an2_m-x9/ref/828175789us_us/new-order/"; http_uri; depth:44; isdataat:!1,relative; content:"mountainmcc.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103990/; classtype:trojan-activity;sid:80967090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/agvyd-t61_qbr-2a/invoicecodechanges/en_us/paid-invoices/"; http_uri; depth:57; isdataat:!1,relative; content:"faauw6pbwze2.iepedacitodecielo.edu.co"; http_host; depth:37; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103989/; classtype:trojan-activity;sid:80967089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kdrgh-niwt_emq-wy/southwire/hlc97630028/en_en/important-please-read/"; http_uri; depth:69; isdataat:!1,relative; content:"www.xn--dh-fka.at"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103988/; classtype:trojan-activity;sid:80967088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fuou-bhk_zedblvl-6he/southwire/wql43140957/us/open-past-due-orders/"; http_uri; depth:68; isdataat:!1,relative; content:"www.pinskcmm.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103987/; classtype:trojan-activity;sid:80967087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lbuq-ln_x-6lc/invoice/166971856/en_en/invoices-overdue/"; http_uri; depth:56; isdataat:!1,relative; content:"tumestetikfiyatlari.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103986/; classtype:trojan-activity;sid:80967086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ytiyq-4pgm_vto-ila/ext/paymentstatus/en_us/past-due-invoices/"; http_uri; depth:62; isdataat:!1,relative; content:"www.droobedu.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103985/; classtype:trojan-activity;sid:80967085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/ahhskikoat9139910/bestellungen/fakturierung/"; http_uri; depth:51; isdataat:!1,relative; content:"www.streetrod3.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103984/; classtype:trojan-activity;sid:80967084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/xhpjoe3790416/rech/form/"; http_uri; depth:28; isdataat:!1,relative; content:"www.caspiantourist.ir"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103983/; classtype:trojan-activity;sid:80967083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sites/default/files/de/rqtpjz3882750/gescanntes-dokument/rechnungsanschrift/"; http_uri; depth:77; isdataat:!1,relative; content:"www.shengen.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103982/; classtype:trojan-activity;sid:80967082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/bajcrk5576717/dokumente/hilfestellung/"; http_uri; depth:45; isdataat:!1,relative; content:"www.straipsniukatalogas.lt"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103981/; classtype:trojan-activity;sid:80967081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaktion/012019"; http_uri; depth:19; isdataat:!1,relative; content:"zeelearn.co"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103980/; classtype:trojan-activity;sid:80967080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/js/widgets/ecdb-pbh_lgrkq-nj1/8479439/surveyquestionsus_us/invoice-corrections-for-98/45/"; http_uri; depth:99; isdataat:!1,relative; content:"millennialsberkarya.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103979/; classtype:trojan-activity;sid:80967079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rechnungs/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"tacticalintelligence.org"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103978/; classtype:trojan-activity;sid:80967078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zgmr-nk_zgapevmg-er/comet/signs/payment/notification/01/15/2019/us/service-invoice/"; http_uri; depth:84; isdataat:!1,relative; content:"snkpk.fkip.uns.ac.id"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103977/; classtype:trojan-activity;sid:80967077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gekyf-6b_vtnvah-y6x/ext/paymentstatus/en/need-to-send-the-attachment/"; http_uri; depth:70; isdataat:!1,relative; content:"www.immo-en-israel.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103976/; classtype:trojan-activity;sid:80967076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/download/d0a326e07933438fb729cc3edd82e9b0/devid-driver-202993.exe"; http_uri; depth:66; isdataat:!1,relative; content:"eu5-cdn.devid.info"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103975/; classtype:trojan-activity;sid:80967075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9vjjubv/"; http_uri; depth:9; isdataat:!1,relative; content:"ongeveergratis.nl"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103974/; classtype:trojan-activity;sid:80967074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1u5rfd7x/"; http_uri; depth:10; isdataat:!1,relative; content:"theryangroup.solutions"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103973/; classtype:trojan-activity;sid:80967073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m1bruy5qjj/"; http_uri; depth:12; isdataat:!1,relative; content:"trietlongtangoc.info"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103972/; classtype:trojan-activity;sid:80967072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/cache/gvv9yia7/"; http_uri; depth:27; isdataat:!1,relative; content:"pos.rumen8.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103971/; classtype:trojan-activity;sid:80967071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/del4a8f/"; http_uri; depth:9; isdataat:!1,relative; content:"www.automatizatupyme.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103970/; classtype:trojan-activity;sid:80967070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.x86"; http_uri; depth:16; isdataat:!1,relative; content:"193.148.69.33"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103969/; classtype:trojan-activity;sid:80967069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/update.sh"; http_uri; depth:10; isdataat:!1,relative; content:"46.17.47.244"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103968/; classtype:trojan-activity;sid:80967068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins.sh"; http_uri; depth:8; isdataat:!1,relative; content:"46.17.47.244"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103967/; classtype:trojan-activity;sid:80967067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/2019-01"; http_uri; depth:18; isdataat:!1,relative; content:"cardpremium.com.br"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103966/; classtype:trojan-activity;sid:80967066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/itfa9spcpk/"; http_uri; depth:12; isdataat:!1,relative; content:"alovakiil.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103965/; classtype:trojan-activity;sid:80967065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntquudi1/"; http_uri; depth:10; isdataat:!1,relative; content:"ewencegroup.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103964/; classtype:trojan-activity;sid:80967064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x8jpgxmsn/"; http_uri; depth:11; isdataat:!1,relative; content:"ivydental.vn"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103963/; classtype:trojan-activity;sid:80967063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/f5xu7eupe/"; http_uri; depth:11; isdataat:!1,relative; content:"www.ori35.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103962/; classtype:trojan-activity;sid:80967062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xdbiq1vbr/"; http_uri; depth:11; isdataat:!1,relative; content:"onesixcraft.ltd"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103961/; classtype:trojan-activity;sid:80967061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/2019-01/"; http_uri; depth:17; isdataat:!1,relative; content:"www.logopediaromaeur.it"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103959/; classtype:trojan-activity;sid:80967059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"milagro.com.co"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103957/; classtype:trojan-activity;sid:80967057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"kiot.coop"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103956/; classtype:trojan-activity;sid:80967056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/01_19/"; http_uri; depth:20; isdataat:!1,relative; content:"customs1.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103955/; classtype:trojan-activity;sid:80967055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"activistdibyajyotisaikia.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103954/; classtype:trojan-activity;sid:80967054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uesey-ug_mrfbrms-w9/p526/invoicing/en_en/paid-invoice-credit-card-receipt/"; http_uri; depth:75; isdataat:!1,relative; content:"www.tecneworleans.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103953/; classtype:trojan-activity;sid:80967053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mvfo-vozq_xwzjebz-rr/ach/paymentadvice/us/paid-invoice-credit-card-receipt/"; http_uri; depth:76; isdataat:!1,relative; content:"www.taizer.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103952/; classtype:trojan-activity;sid:80967052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/rwfha-qjol_jiylyxfo-pv/inv/3765841forpo/8505566790/en_en/invoice/"; http_uri; depth:85; isdataat:!1,relative; content:"www.somerset.com.ar"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103951/; classtype:trojan-activity;sid:80967051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/ltcykbnje5969176/rechnungs-details/rechnungsanschrift/"; http_uri; depth:58; isdataat:!1,relative; content:"www.solusiobatherbal.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103950/; classtype:trojan-activity;sid:80967050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hdifv-71q_qv-yr/i352/invoicing/us_us/service-invoice/"; http_uri; depth:54; isdataat:!1,relative; content:"www.soloftp.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103949/; classtype:trojan-activity;sid:80967049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ujtd-spb15_ykxq-tc/invoice/6943/overpayment/en/invoice-79269863-january/"; http_uri; depth:73; isdataat:!1,relative; content:"www.seslibiri.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103948/; classtype:trojan-activity;sid:80967048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/slhp-fmgn_mrr-xc/inv/084073forpo/57754571425/us/document-needed/"; http_uri; depth:65; isdataat:!1,relative; content:"www.mother-earth.net"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103947/; classtype:trojan-activity;sid:80967047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dmyh-mmbje_nvtzfbhtl-7n/455929/surveyquestionsus/invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"www.ip-tes.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103946/; classtype:trojan-activity;sid:80967046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/axepi-t2s1_fyix-vv/inv/401997forpo/5187711320/en_en/paid-invoice/"; http_uri; depth:66; isdataat:!1,relative; content:"www.gonulyayincilik.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103945/; classtype:trojan-activity;sid:80967045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bamxj-yk_aguzkvh-8xr/en_us/companies-invoice-7729809/"; http_uri; depth:54; isdataat:!1,relative; content:"www.glazastiks.ru"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103944/; classtype:trojan-activity;sid:80967044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/hqpfajkk6489287/rechnungs/details/"; http_uri; depth:41; isdataat:!1,relative; content:"www.freedom-financialllc.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103943/; classtype:trojan-activity;sid:80967043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ogbpt-g5rn_fswv-upg/ach/paymentinfo/us_us/need-to-send-the-attachment/"; http_uri; depth:71; isdataat:!1,relative; content:"www.fissionmailed.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103942/; classtype:trojan-activity;sid:80967042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jdizz-l86x_mpzcmnaf-tnj/ach/paymentadvice/us_us/inv-12441-po-8c586861/"; http_uri; depth:71; isdataat:!1,relative; content:"www.etsybizthai.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103941/; classtype:trojan-activity;sid:80967041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ncwum-mc_jxlgmtfsf-fk/invoice/us_us/sales-invoice/"; http_uri; depth:51; isdataat:!1,relative; content:"www.cognitiontraining.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103940/; classtype:trojan-activity;sid:80967040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/infppxh9980256/gescanntes-dokument/zahlungserinnerung/"; http_uri; depth:66; isdataat:!1,relative; content:"www.citygroupkw.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103939/; classtype:trojan-activity;sid:80967039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/ldkqduhsa3654559/rech/zahlungserinnerung/"; http_uri; depth:45; isdataat:!1,relative; content:"www.antique-carpets.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103938/; classtype:trojan-activity;sid:80967038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mjaog-5qa5_bmeo-wdq/paymentstatus/en_us/companies-invoice-3933304/"; http_uri; depth:67; isdataat:!1,relative; content:"www.3dyazicimarket.com.tr"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103937/; classtype:trojan-activity;sid:80967037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gqce-5d_fcmkolhm-ijw/u970/invoicing/us/need-to-send-the-attachment/"; http_uri; depth:68; isdataat:!1,relative; content:"weresolve.ca"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103936/; classtype:trojan-activity;sid:80967036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hpzjv-4cq_lxbep-smh/8246620/surveyquestionsen_us/invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"universobolao.com.br"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103935/; classtype:trojan-activity;sid:80967035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/elzvivalkf2064744/rechnungs/rechnungszahlung/"; http_uri; depth:52; isdataat:!1,relative; content:"tutoproduction.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103934/; classtype:trojan-activity;sid:80967034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gnbg-tk_zr-jf/comet/signs/payment/notification/01/15/2019/us_us/invoice-correct/"; http_uri; depth:81; isdataat:!1,relative; content:"therealdrbill.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103933/; classtype:trojan-activity;sid:80967033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uesey-ug_mrfbrms-w9/p526/invoicing/en_en/paid-invoice-credit-card-receipt/"; http_uri; depth:75; isdataat:!1,relative; content:"tecneworleans.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103932/; classtype:trojan-activity;sid:80967032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/hrtch-0r_jlzqcd-mq8/o788/invoicing/en/paid-invoice/"; http_uri; depth:64; isdataat:!1,relative; content:"teacherinnovator.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103931/; classtype:trojan-activity;sid:80967031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hjyqj-xud4g_ylvrs-sh1/ext/paymentstatus/en/important-please-read/"; http_uri; depth:66; isdataat:!1,relative; content:"tc-jaureguiberry.fr"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103930/; classtype:trojan-activity;sid:80967030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armt-ulahi_sevq-xg/inv/0337474forpo/21645673519/en_en/past-due-invoice/"; http_uri; depth:72; isdataat:!1,relative; content:"studypalette.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103929/; classtype:trojan-activity;sid:80967029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/auqfg-1j_ni-pg/inv/191542forpo/159688852097/us_us/past-due-invoices/"; http_uri; depth:69; isdataat:!1,relative; content:"storylife4you.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103928/; classtype:trojan-activity;sid:80967028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ecdn-0duqc_hkw-zk3/ext/paymentstatus/en_us/paid-invoices/"; http_uri; depth:58; isdataat:!1,relative; content:"squawkcoffeehouse.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103926/; classtype:trojan-activity;sid:80967026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rrnb-smexz_c-b0f/40041/surveyquestionsus_us/scan/"; http_uri; depth:50; isdataat:!1,relative; content:"standart-uk.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103927/; classtype:trojan-activity;sid:80967027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/fyoicvfxr4196590/ger/rechnungszahlung/"; http_uri; depth:45; isdataat:!1,relative; content:"solverpropaganda.com.br"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103925/; classtype:trojan-activity;sid:80967025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fjar-zffpositwdqtuel_duquydev-sf1/"; http_uri; depth:35; isdataat:!1,relative; content:"rossiodontologia.com.br"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103924/; classtype:trojan-activity;sid:80967024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/gjeggqz5087232/de/hilfestellung/"; http_uri; depth:44; isdataat:!1,relative; content:"productvideohut.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103923/; classtype:trojan-activity;sid:80967023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rizmn-hhvu_x-z7/paymentstatus/us_us/open-invoices/"; http_uri; depth:51; isdataat:!1,relative; content:"privatetoursriodejaneiro.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103922/; classtype:trojan-activity;sid:80967022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iuwd-ay_eifz-afg/inv/35896259620/us_us/invoice-number-448033/"; http_uri; depth:62; isdataat:!1,relative; content:"phelieuasia.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103921/; classtype:trojan-activity;sid:80967021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zvpxy-rxw_tcja-1f/z913/invoicing/us/invoice/"; http_uri; depth:45; isdataat:!1,relative; content:"pcengine.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103920/; classtype:trojan-activity;sid:80967020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/kgfjia2987254/dokumente/rechnungsanschrift/"; http_uri; depth:55; isdataat:!1,relative; content:"ontamada.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103919/; classtype:trojan-activity;sid:80967019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xvhg-gt7a_lb-e8/invoice/619377086/us/question/"; http_uri; depth:47; isdataat:!1,relative; content:"ng-tech.ru"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103918/; classtype:trojan-activity;sid:80967018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/njpni-tbpfx_yzehiewbh-3yf/invoice/48481/overpayment/en_en/open-past-due-orders/"; http_uri; depth:80; isdataat:!1,relative; content:"mydrive.theartwall.co.uk"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103917/; classtype:trojan-activity;sid:80967017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hcmwq-8qzzz_mitp-yg/southwire/utd940213930/us_us/outstanding-invoices/"; http_uri; depth:71; isdataat:!1,relative; content:"monrottweiler.fr"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103916/; classtype:trojan-activity;sid:80967016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/mooohai9601427/gescanntes-dokument/doc/"; http_uri; depth:51; isdataat:!1,relative; content:"modern-autoparts.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103915/; classtype:trojan-activity;sid:80967015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/srqac-4nj_jzr-6n/ach/paymentinfo/en_en/new-order/"; http_uri; depth:50; isdataat:!1,relative; content:"leg4.ru"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103914/; classtype:trojan-activity;sid:80967014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bytvpdjgya8152756/bestellungen/rech/"; http_uri; depth:37; isdataat:!1,relative; content:"lassmeder-service.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103913/; classtype:trojan-activity;sid:80967013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sdvn-8b_m-mjo/282349/surveyquestionsen_en/service-invoice/"; http_uri; depth:59; isdataat:!1,relative; content:"kuhniviva.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103912/; classtype:trojan-activity;sid:80967012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qrhq-ohs_vfsbm-iq/invoice/en_en/need-to-send-the-attachment/"; http_uri; depth:61; isdataat:!1,relative; content:"justfinancial.info"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103911/; classtype:trojan-activity;sid:80967011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/shkfq-pq_isvlaws-b3h/08335/surveyquestionsen_en/invoice-42509324/"; http_uri; depth:66; isdataat:!1,relative; content:"isikbahce.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103910/; classtype:trojan-activity;sid:80967010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmp/yudx-oov1t_reegxoy-vkh/inv/305874329/en_us/past-due-invoice/"; http_uri; depth:65; isdataat:!1,relative; content:"hitechlink.com.vn"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103909/; classtype:trojan-activity;sid:80967009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ilki-qnw_geaqcj-l7q/en/inv-35271-po-2g659605/"; http_uri; depth:46; isdataat:!1,relative; content:"greenplastic.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103907/; classtype:trojan-activity;sid:80967007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wrodk-2m_qgttrkjui-u58/ach/paymentadvice/en_us/invoice/"; http_uri; depth:56; isdataat:!1,relative; content:"hampaweb.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103908/; classtype:trojan-activity;sid:80967008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/azorvicmh7935587/de/zahlungserinnerung/"; http_uri; depth:43; isdataat:!1,relative; content:"estab.org.tr"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103906/; classtype:trojan-activity;sid:80967006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jgnpi-2nk_ot-vc/19835/surveyquestionsen/scan/"; http_uri; depth:46; isdataat:!1,relative; content:"emsivab.se"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103905/; classtype:trojan-activity;sid:80967005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jwaap-yt_uygp-ifj/ach/paymentinfo/en_en/overdue-payment/"; http_uri; depth:57; isdataat:!1,relative; content:"dichvuso.edu.vn"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103904/; classtype:trojan-activity;sid:80967004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ohqh-ww_s-utv/ach/paymentadvice/us/new-order/"; http_uri; depth:46; isdataat:!1,relative; content:"denleddplighting.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103903/; classtype:trojan-activity;sid:80967003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/ndeavscie4629249/rechnungs-details/fakturierung/"; http_uri; depth:55; isdataat:!1,relative; content:"clinic-1.gov.ua"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103902/; classtype:trojan-activity;sid:80967002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/wobagmmm6486799/bestellungen/rechnung/"; http_uri; depth:50; isdataat:!1,relative; content:"chriscrail.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103901/; classtype:trojan-activity;sid:80967001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wsibmhjnf2141241/scan/rechnungsanschrift/"; http_uri; depth:42; isdataat:!1,relative; content:"chervinsky.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103900/; classtype:trojan-activity;sid:80967000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yelyl-ucgy_nufzeq-8d/848018/surveyquestionsus/important-please-read/"; http_uri; depth:69; isdataat:!1,relative; content:"buld.ru"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103899/; classtype:trojan-activity;sid:80966999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/utkpnadyda3279925/rechnungs-details/hilfestellung/"; http_uri; depth:51; isdataat:!1,relative; content:"bomedmobilya.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103898/; classtype:trojan-activity;sid:80966998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zmoe-dr_awjgv-fkg/inv/7473201forpo/86689225664/us_us/paid-invoices/"; http_uri; depth:68; isdataat:!1,relative; content:"black-friday.uno"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103897/; classtype:trojan-activity;sid:80966997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dwrf-wnx8b_sbjm-ec/us_us/outstanding-invoices/"; http_uri; depth:47; isdataat:!1,relative; content:"billfritzjr.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103896/; classtype:trojan-activity;sid:80966996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/hjseejtfa1293851/de/rechnungszahlung/"; http_uri; depth:41; isdataat:!1,relative; content:"avto4x4.ru"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103895/; classtype:trojan-activity;sid:80966995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pbiz-l6l_dfqg-wu/inv/498883721/en_us/open-past-due-orders/"; http_uri; depth:59; isdataat:!1,relative; content:"atkcgnew.evgeni7e.beget.tech"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103894/; classtype:trojan-activity;sid:80966994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vyoh-zrd_idvtatlbi-au/ext/paymentstatus/en/paid-invoice/"; http_uri; depth:57; isdataat:!1,relative; content:"amlgroup.in"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103893/; classtype:trojan-activity;sid:80966993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ivmub-7u2tt_tbriewlti-dy/ach/paymentadvice/us/outstanding-invoices/"; http_uri; depth:68; isdataat:!1,relative; content:"alfa-design.pro"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103892/; classtype:trojan-activity;sid:80966992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fclvq-kk_ybcgt-yl/en/service-report-76163/"; http_uri; depth:43; isdataat:!1,relative; content:"www.balancedmindus.org"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103891/; classtype:trojan-activity;sid:80966991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/beta/de_de/fwywxo4725041/rechnung/rech/"; http_uri; depth:40; isdataat:!1,relative; content:"provillus.biz"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103890/; classtype:trojan-activity;sid:80966990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uile-lvbco_xizd-cnb/inv/037768forpo/0253487417/en_en/scan/"; http_uri; depth:59; isdataat:!1,relative; content:"insecovietnam.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103889/; classtype:trojan-activity;sid:80966989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fuxs-md_bej-tk/invoicecodechanges/en/companies-invoice-96944979/"; http_uri; depth:65; isdataat:!1,relative; content:"www.hjsanders.nl"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103888/; classtype:trojan-activity;sid:80966988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/styslfyqkg0437773/de/doc/"; http_uri; depth:29; isdataat:!1,relative; content:"www.euk.lt"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103887/; classtype:trojan-activity;sid:80966987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uqvvclish1323826/rechnungs-docs/form/"; http_uri; depth:38; isdataat:!1,relative; content:"www.life-and-spice.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103886/; classtype:trojan-activity;sid:80966986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/szghgqnjad5093844/rechnungs-details/hilfestellung/"; http_uri; depth:54; isdataat:!1,relative; content:"www.prirodnadzor-kuban.ru"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103885/; classtype:trojan-activity;sid:80966985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rymib-pepr_ks-olr/invoice/46818008/us/invoice-corrections-for-21/67/"; http_uri; depth:69; isdataat:!1,relative; content:"client.ewc.com.ng"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103884/; classtype:trojan-activity;sid:80966984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/csaon-un_xrikgf-eo/invoices/3588/3696/en_en/new-order/"; http_uri; depth:55; isdataat:!1,relative; content:"everythingfranklin.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103883/; classtype:trojan-activity;sid:80966983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zxvki-x4e3p_t-97l/invoice/8479740/en_en/past-due-invoices/"; http_uri; depth:59; isdataat:!1,relative; content:"pastorsimeon.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103882/; classtype:trojan-activity;sid:80966982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/vtqjzekwt6556816/scan/zahlungserinnerung/"; http_uri; depth:48; isdataat:!1,relative; content:"www.eclecticelectronics.net"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103881/; classtype:trojan-activity;sid:80966981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/v2/urlu=https-3a__mandrillapp.com_track_click_30927887_billfritzjr.com-3fp-3deyjzijoix19bx1hcuxdoc2q2rdyyzjfzmf9vnhhpdniwiiwidii6mswicci6intcinvcijozmdkynzg4nyxcinzcijoxlfwidxjsxci6xcjodhrwolxcxc9cxfwvymlsbgzyaxr6aniuy29txfxcl0r3ckytv054ogjfu2jkbs1ly1xcxc9vu191c1xcxc9pdxrzdgfuzgluzy1jbnzvawnlc1wilfwiawrcijpcimu2mwu0yzeynti0njrkzmrhndu1nzu2ntcwmmi4njzlxcisxcj1cmxfawrzxci6w1wizwyyntfhmgq4ntc2y2y4nmm4ytg1ogiwzmzjzgjkyzbly2q4ota0mlwixx0ifq|26|d=dwmfaq|26|c=tbyyl_dr1tbrhxguavt_iyx6bkxh9yo5qmbpni15jsc|26|r=fm2m1abmatj7xrxgq5cllelp9lsty-sjzlpx0_zqxsm|26|m=ge1d4bekjziixk0pj7g_qlrjkkilhikh4jlnua3b78k|26|s=mkera8mz_hkdqjn65wdorijzxlwrxzl7u2wdonowex8|26|e=/"; http_uri; depth:655; isdataat:!1,relative; content:"urldefense.proofpoint.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103880/; classtype:trojan-activity;sid:80966980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"faszination3d.de"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103879/; classtype:trojan-activity;sid:80966979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/2019-01>/"; http_uri; depth:18; isdataat:!1,relative; content:"logopediaromaeur.it"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103878/; classtype:trojan-activity;sid:80966978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sharppay/gasby.exe"; http_uri; depth:19; isdataat:!1,relative; content:"supportwip.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103877/; classtype:trojan-activity;sid:80966977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fdghfj/sureboy.exe"; http_uri; depth:19; isdataat:!1,relative; content:"supportwip.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103876/; classtype:trojan-activity;sid:80966976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fajaymoney/fajey.exe"; http_uri; depth:21; isdataat:!1,relative; content:"supportwip.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103875/; classtype:trojan-activity;sid:80966975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"1.52.84.2"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103874/; classtype:trojan-activity;sid:80966974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demo/mydemo.exe"; http_uri; depth:16; isdataat:!1,relative; content:"down.qm188.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103873/; classtype:trojan-activity;sid:80966973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ext/setup_tbss.exe"; http_uri; depth:19; isdataat:!1,relative; content:"down.qm188.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103872/; classtype:trojan-activity;sid:80966972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"5.201.130.81"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103871/; classtype:trojan-activity;sid:80966971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qd/setup_205.exe"; http_uri; depth:17; isdataat:!1,relative; content:"down.qm188.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103870/; classtype:trojan-activity;sid:80966970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tino/hills.exe"; http_uri; depth:15; isdataat:!1,relative; content:"vidafilm.mx"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103869/; classtype:trojan-activity;sid:80966969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/01/984656017.jpg"; http_uri; depth:17; isdataat:!1,relative; content:"vektorex.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103868/; classtype:trojan-activity;sid:80966968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_armv4l"; http_uri; depth:9; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103867/; classtype:trojan-activity;sid:80966967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_armv6l"; http_uri; depth:9; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103866/; classtype:trojan-activity;sid:80966966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_sh4"; http_uri; depth:6; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103865/; classtype:trojan-activity;sid:80966965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_armv5l"; http_uri; depth:9; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103863/; classtype:trojan-activity;sid:80966963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_armv7l"; http_uri; depth:9; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103864/; classtype:trojan-activity;sid:80966964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_i586"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103862/; classtype:trojan-activity;sid:80966962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_i686"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103861/; classtype:trojan-activity;sid:80966961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_sparc"; http_uri; depth:8; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103859/; classtype:trojan-activity;sid:80966959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_x86"; http_uri; depth:6; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103860/; classtype:trojan-activity;sid:80966960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_mipsel"; http_uri; depth:9; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103858/; classtype:trojan-activity;sid:80966958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_powerpc"; http_uri; depth:10; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103857/; classtype:trojan-activity;sid:80966957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_m68k"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103855/; classtype:trojan-activity;sid:80966955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k_mips"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.142"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103856/; classtype:trojan-activity;sid:80966956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ofeyd-pr_ijdjpaovo-pkn/southwire/rts227613434/us_us/invoice-4778255/"; http_uri; depth:69; isdataat:!1,relative; content:"lalie-bioty.fr"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103854/; classtype:trojan-activity;sid:80966954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/heq3cdgn_tvvo3ae1q/"; http_uri; depth:20; isdataat:!1,relative; content:"kiber-soft.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103853/; classtype:trojan-activity;sid:80966953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/adfdl_tnvfdcc/"; http_uri; depth:15; isdataat:!1,relative; content:"lidstroy.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103852/; classtype:trojan-activity;sid:80966952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/h4nn9_x736_ajroty/"; http_uri; depth:19; isdataat:!1,relative; content:"jessie-equitation.fr"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103851/; classtype:trojan-activity;sid:80966951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3ghp_fe5b5_77azu/"; http_uri; depth:18; isdataat:!1,relative; content:"nkalitin.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103850/; classtype:trojan-activity;sid:80966950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hxee-xi7u_jtcz-x2/invoices/95240/15265/us/invoice-for-i/g-01/16/2019/"; http_uri; depth:70; isdataat:!1,relative; content:"urbanaturefilmes.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103849/; classtype:trojan-activity;sid:80966949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wfdlx-jidc_iikmrxkhy-kw/878963/surveyquestionsen_us/need-to-send-the-attachment/"; http_uri; depth:81; isdataat:!1,relative; content:"pmracing.it"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103848/; classtype:trojan-activity;sid:80966948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/zjxzkdarpp2446969/de_de/details/"; http_uri; depth:39; isdataat:!1,relative; content:"giaybespoke.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103847/; classtype:trojan-activity;sid:80966947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/herlebsro9612047/rechnungs/details/"; http_uri; depth:39; isdataat:!1,relative; content:"restoran-maligan.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103846/; classtype:trojan-activity;sid:80966946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zrxm-yst2_uddpafjn-rb/invoicecodechanges/en_us/companies-invoice-34834023/"; http_uri; depth:75; isdataat:!1,relative; content:"ori-motivator.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103845/; classtype:trojan-activity;sid:80966945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/lluymbgnkz2723237/de/rechnungszahlung/"; http_uri; depth:45; isdataat:!1,relative; content:"zasadulin.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103844/; classtype:trojan-activity;sid:80966944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/denf-gja_lelyod-ope/ach/paymentinfo/en_en/invoice-4287713/"; http_uri; depth:59; isdataat:!1,relative; content:"pcokey.ru"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103843/; classtype:trojan-activity;sid:80966943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kdpfp-vyc_vbaktoyl-2e/476308/surveyquestionsus_us/open-invoices/"; http_uri; depth:65; isdataat:!1,relative; content:"stats.emalaya.org"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103842/; classtype:trojan-activity;sid:80966942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/ycloxmqyd3571481/rechnung/form/"; http_uri; depth:38; isdataat:!1,relative; content:"lineageforum.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103841/; classtype:trojan-activity;sid:80966941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/zvohzlaojo4450541/rechnungs-details/doc-dokument/"; http_uri; depth:61; isdataat:!1,relative; content:"biometricsystems.ru"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103840/; classtype:trojan-activity;sid:80966940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdlqi-9h7za_lgb-oc/ref/59544797us_us/need-to-send-the-attachment/"; http_uri; depth:66; isdataat:!1,relative; content:"pivmag02.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103839/; classtype:trojan-activity;sid:80966939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/myulp-pr_sxfpdkr-zl/southwire/qbx924743500/us_us/paid-invoices/"; http_uri; depth:64; isdataat:!1,relative; content:"www.pwpami.pl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103838/; classtype:trojan-activity;sid:80966938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yztx-u1bj_pdk-qft/invoice/8988554/us_us/new-order/"; http_uri; depth:51; isdataat:!1,relative; content:"freelancecommunication.fr"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103837/; classtype:trojan-activity;sid:80966937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/asm_i9n5bkz/"; http_uri; depth:13; isdataat:!1,relative; content:"salonbellasa.sk"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103836/; classtype:trojan-activity;sid:80966936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/2019-01/"; http_uri; depth:19; isdataat:!1,relative; content:"palmbeach-hurghada.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103835/; classtype:trojan-activity;sid:80966935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/01_19/"; http_uri; depth:24; isdataat:!1,relative; content:"chalespaubrasil.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103834/; classtype:trojan-activity;sid:80966934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"www.faszination3d.de"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103833/; classtype:trojan-activity;sid:80966933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/012019/"; http_uri; depth:16; isdataat:!1,relative; content:"officeslave.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103832/; classtype:trojan-activity;sid:80966932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"z-prava.ru"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103831/; classtype:trojan-activity;sid:80966931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/01_19/"; http_uri; depth:15; isdataat:!1,relative; content:"bankingtech.vn"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103830/; classtype:trojan-activity;sid:80966930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/messages/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"sv-piterstroy.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103829/; classtype:trojan-activity;sid:80966929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"www.ibnkhaldun.edu.my"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103828/; classtype:trojan-activity;sid:80966928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/012019/"; http_uri; depth:25; isdataat:!1,relative; content:"audrey-benjamin.fr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103827/; classtype:trojan-activity;sid:80966927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wmv9lwru/"; http_uri; depth:10; isdataat:!1,relative; content:"dnenes.com.mx"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103826/; classtype:trojan-activity;sid:80966926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/2019-01/"; http_uri; depth:17; isdataat:!1,relative; content:"ulco.tv"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103825/; classtype:trojan-activity;sid:80966925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docs/cache/clients_messages/012019/"; http_uri; depth:36; isdataat:!1,relative; content:"geodrilling.cl"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103824/; classtype:trojan-activity;sid:80966924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"www.polatlimatbaa.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103823/; classtype:trojan-activity;sid:80966923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/po.exe"; http_uri; depth:7; isdataat:!1,relative; content:"www.beautymakeup.ca"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/103822/; classtype:trojan-activity;sid:80966922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iuywk-gt_y-jl7/ext/paymentstatus/us/companies-invoice-1236003/"; http_uri; depth:63; isdataat:!1,relative; content:"web63.s150.goserver.host"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103821/; classtype:trojan-activity;sid:80966921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wsgc-lmgp_b-k0n/invoices/04514/99848/en_en/open-past-due-orders/"; http_uri; depth:65; isdataat:!1,relative; content:"makeupbyolivia.co.uk"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103820/; classtype:trojan-activity;sid:80966920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/altxh-jqt_khazsp-zhl/invoicecodechanges/en/question/"; http_uri; depth:53; isdataat:!1,relative; content:"klobasafest.sk"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103819/; classtype:trojan-activity;sid:80966919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/llki-dx6en_oesmuxq-ai/comet/signs/payment/notification/01/15/2019/en/invoices-attached/"; http_uri; depth:88; isdataat:!1,relative; content:"ganic.be"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103818/; classtype:trojan-activity;sid:80966918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xbfnp-mma_vcb-0l/invoice/39367/overpayment/en/past-due-invoices/"; http_uri; depth:65; isdataat:!1,relative; content:"favouritefashionhub.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103817/; classtype:trojan-activity;sid:80966917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/aplx-gnf_japmgnnva-hw6/ji32/invoicing/us/service-invoice/"; http_uri; depth:58; isdataat:!1,relative; content:"enekashoush.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103816/; classtype:trojan-activity;sid:80966916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brhf-rb_pjppwx-jpj/paymentstatus/en_en/outstanding-invoices/"; http_uri; depth:61; isdataat:!1,relative; content:"checkreview.ooo"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103815/; classtype:trojan-activity;sid:80966915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/reyog-ir_xoagihvft-u3a/ach/paymentadvice/us_us/invoice-for-you/"; http_uri; depth:64; isdataat:!1,relative; content:"cheapavia.ga"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103814/; classtype:trojan-activity;sid:80966914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ghesa-ux_sxxfeeo-cf/paymentstatus/us/important-please-read/"; http_uri; depth:60; isdataat:!1,relative; content:"arteelectronics.cl"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103813/; classtype:trojan-activity;sid:80966913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/2019-01/"; http_uri; depth:19; isdataat:!1,relative; content:"www.textilessudamericanos.com"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103812/; classtype:trojan-activity;sid:80966912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/01_19/"; http_uri; depth:20; isdataat:!1,relative; content:"www.customs1.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103811/; classtype:trojan-activity;sid:80966911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"www.belovedmotherof13.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103810/; classtype:trojan-activity;sid:80966910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"mail.mfj222.co.za"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103809/; classtype:trojan-activity;sid:80966909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/2019-01/"; http_uri; depth:22; isdataat:!1,relative; content:"hjsanders.nl"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103808/; classtype:trojan-activity;sid:80966908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"gisa.company"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103807/; classtype:trojan-activity;sid:80966907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_messages/01_19/"; http_uri; depth:24; isdataat:!1,relative; content:"aprendercomputacion.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103806/; classtype:trojan-activity;sid:80966906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/b4c4699b939766b2580e03cc5734c97657ba4a5e178d5974f6d36b02881fb00dbf3ded.ren"; http_uri; depth:75; isdataat:!1,relative; content:"flowers.destructiontrains.host"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103805/; classtype:trojan-activity;sid:80966905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/auuf1tkh/"; http_uri; depth:10; isdataat:!1,relative; content:"garopin-r-01.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103804/; classtype:trojan-activity;sid:80966904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/p7p4eo54qb/"; http_uri; depth:12; isdataat:!1,relative; content:"timgiamgia.site"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103803/; classtype:trojan-activity;sid:80966903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ehrw1bmlo/"; http_uri; depth:11; isdataat:!1,relative; content:"demos.technoexam.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103802/; classtype:trojan-activity;sid:80966902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wcudi4ydbh/"; http_uri; depth:12; isdataat:!1,relative; content:"mypuppysitter.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103801/; classtype:trojan-activity;sid:80966901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/naovd1x/"; http_uri; depth:9; isdataat:!1,relative; content:"radintrader.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103800/; classtype:trojan-activity;sid:80966900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"francoisebon.fr"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103799/; classtype:trojan-activity;sid:80966899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"rokiatraore.net"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103798/; classtype:trojan-activity;sid:80966898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"infocentertour.ru"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103797/; classtype:trojan-activity;sid:80966897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=amikyxv2mtziwfvrkserjzapnkk6vlvrrpoqi1c51nlrrly6wjszs60cfgkcqw6fmr68kzntd9hiezykenfkja-3d-3d_nunntflut5qgdctkt8bdgmjiftvrh5kc2vfijapr5bdi-2bd4qetnwj2jyptxhq-2bzugntymut-2fqwb8jzue-2f6jwkzve4hnv6zkpdcbtkgymr2l5djb1946nneaurjwnpmdm1moehqi5ggyaewiklhubydrr8nk71gtdminmrtrkbmerhv2ugbxkg0hkl-2fsdhl6-2fwk-2flllxew6zqwtwwtvmfbq-3d-3d/"; http_uri; depth:341; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103796/; classtype:trojan-activity;sid:80966896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"shopping24horas.com.br"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103795/; classtype:trojan-activity;sid:80966895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"sitesbrgiga.com.br"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103794/; classtype:trojan-activity;sid:80966894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"pharmaesourcing.technoexam.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103793/; classtype:trojan-activity;sid:80966893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/012019/"; http_uri; depth:28; isdataat:!1,relative; content:"dijitalbaskicenter.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103792/; classtype:trojan-activity;sid:80966892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/messages/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"aimypie.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103791/; classtype:trojan-activity;sid:80966891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"airmanship.nl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103790/; classtype:trojan-activity;sid:80966890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/012019/"; http_uri; depth:17; isdataat:!1,relative; content:"www.mountainmcc.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103789/; classtype:trojan-activity;sid:80966889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"ketout.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103788/; classtype:trojan-activity;sid:80966888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"eriklanger.it"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103787/; classtype:trojan-activity;sid:80966887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/z7isltpb/"; http_uri; depth:10; isdataat:!1,relative; content:"niteshagrico.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103786/; classtype:trojan-activity;sid:80966886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/details/012019/"; http_uri; depth:16; isdataat:!1,relative; content:"mfj222.co.za"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103785/; classtype:trojan-activity;sid:80966885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/transaction_details/01_19/"; http_uri; depth:36; isdataat:!1,relative; content:"undlab.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103784/; classtype:trojan-activity;sid:80966884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transactions/01_19"; http_uri; depth:19; isdataat:!1,relative; content:"ciblage-spain.es"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103783/; classtype:trojan-activity;sid:80966883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mqrfa-lkcjc_sl-tgj/us/753-43-672323-659-753-43-672323-244/"; http_uri; depth:59; isdataat:!1,relative; content:"lapsoinmobiliaria.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103782/; classtype:trojan-activity;sid:80966882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mqrfa-lkcjc_sl-tgj/us/753-43-672323-659-753-43-672323-244"; http_uri; depth:58; isdataat:!1,relative; content:"lapsoinmobiliaria.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103781/; classtype:trojan-activity;sid:80966881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x9w0q_aj9eudi_0/"; http_uri; depth:17; isdataat:!1,relative; content:"forma-31.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103780/; classtype:trojan-activity;sid:80966880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/z7isltpb"; http_uri; depth:9; isdataat:!1,relative; content:"niteshagrico.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103779/; classtype:trojan-activity;sid:80966879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vdfy-bhbv_onzwstvk-d8y/ach/paymentinfo/en_en/invoices-attached/"; http_uri; depth:64; isdataat:!1,relative; content:"crolanbicycle.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103778/; classtype:trojan-activity;sid:80966878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/wvmkoetl6246843/rechnung/rechnungsanschrift/"; http_uri; depth:48; isdataat:!1,relative; content:"www.bureaudebiteurenbeheer.nl"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103777/; classtype:trojan-activity;sid:80966877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de_de/phpvqljj5927086/rechnungs-details/hilfestellung/"; http_uri; depth:55; isdataat:!1,relative; content:"www.jenfu.net"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103776/; classtype:trojan-activity;sid:80966876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/qcidkgttws3129914/scan/doc-dokument/"; http_uri; depth:40; isdataat:!1,relative; content:"www.lifestyleassociates.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103775/; classtype:trojan-activity;sid:80966875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/omjgvmbp9253958/scan/rechnung/"; http_uri; depth:31; isdataat:!1,relative; content:"www.zigoro.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103774/; classtype:trojan-activity;sid:80966874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/oquryvu5178922/rechnungs/fakturierung/"; http_uri; depth:39; isdataat:!1,relative; content:"www.rosimpex.net"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103773/; classtype:trojan-activity;sid:80966873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hdifv-71q_qv-yr/i352/invoicing/us_us/service-invoice/"; http_uri; depth:54; isdataat:!1,relative; content:"soloftp.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103772/; classtype:trojan-activity;sid:80966872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/arbamvdkl5913152/rechnung/rechnung/"; http_uri; depth:39; isdataat:!1,relative; content:"stacknheap.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103771/; classtype:trojan-activity;sid:80966871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ppisd-f3mn_i-8kt/southwire/qsx6674068692/us_us/document-needed/"; http_uri; depth:64; isdataat:!1,relative; content:"inomoto.vn"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103770/; classtype:trojan-activity;sid:80966870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/leresuz7074814/dokumente/hilfestellung/"; http_uri; depth:40; isdataat:!1,relative; content:"www.1348photo.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103769/; classtype:trojan-activity;sid:80966869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/aujslfxo1452575/bestellungen/form/"; http_uri; depth:38; isdataat:!1,relative; content:"www.condicioner-ufa.ru"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103768/; classtype:trojan-activity;sid:80966868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/de/cwdcgo7645780/rechnungs-docs/rechnung/"; http_uri; depth:42; isdataat:!1,relative; content:"www.domaingiarenhat.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103767/; classtype:trojan-activity;sid:80966867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hnxjo-0rfc4_yid-neh/comet/signs/payment/notification/01/15/2019/en/question/"; http_uri; depth:77; isdataat:!1,relative; content:"www.klpervezimas.lt"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103766/; classtype:trojan-activity;sid:80966866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/januar2019/rtwekqo4171299/rechnung/fakturierung/"; http_uri; depth:49; isdataat:!1,relative; content:"cannabisenglish.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103765/; classtype:trojan-activity;sid:80966865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cnlxj-x8zs_lx-kd/vv40/invoicing/en/open-past-due-orders/"; http_uri; depth:57; isdataat:!1,relative; content:"casa7mares.com.br"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103764/; classtype:trojan-activity;sid:80966864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nepu-az5_snykbayi-s4s/ach/paymentadvice/us_us/invoice-for-k/u-01/15/2019/"; http_uri; depth:74; isdataat:!1,relative; content:"crm.mydealeradvertising.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103763/; classtype:trojan-activity;sid:80966863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tcosf-he9pp_dptzc-ivu/inv/7785759609/us_us/paid-invoices/"; http_uri; depth:58; isdataat:!1,relative; content:"ukmc.lt"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103762/; classtype:trojan-activity;sid:80966862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tsod-ta1w_ctjn-9ah/invoice/us_us/invoice-0326887/"; http_uri; depth:50; isdataat:!1,relative; content:"purifiq.co.za"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103761/; classtype:trojan-activity;sid:80966861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/aadmv-fpgl_z-gs/paymentstatus/en_en/invoice-6824416-january/"; http_uri; depth:61; isdataat:!1,relative; content:"goodnesspets.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103760/; classtype:trojan-activity;sid:80966860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zzwkp-nozn_oe-xeg/southwire/hoj46862317/en/service-report-6151/"; http_uri; depth:64; isdataat:!1,relative; content:"cerrajeria-sabbath.holy-animero.com"; http_host; depth:35; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103759/; classtype:trojan-activity;sid:80966859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ooia-isd_bchgk-iu/southwire/rlc31442725/en/scan/"; http_uri; depth:49; isdataat:!1,relative; content:"nhakhoahiromi.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103758/; classtype:trojan-activity;sid:80966858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/mn/mn.exe"; http_uri; depth:17; isdataat:!1,relative; content:"interbizservices.eu"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103757/; classtype:trojan-activity;sid:80966857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/mb/mb.exe"; http_uri; depth:17; isdataat:!1,relative; content:"interbizservices.eu"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103756/; classtype:trojan-activity;sid:80966856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x`jpgxmsim/"; http_uri; depth:12; isdataat:!1,relative; content:"ivydeimtal.vim"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103755/; classtype:trojan-activity;sid:80966855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/01_19/"; http_uri; depth:19; isdataat:!1,relative; content:"ukmc.lt"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103753/; classtype:trojan-activity;sid:80966853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/2019-01/"; http_uri; depth:19; isdataat:!1,relative; content:"cardpremium.com.br"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103752/; classtype:trojan-activity;sid:80966852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments/01_19/"; http_uri; depth:16; isdataat:!1,relative; content:"ragainesvaldos.ekovalstybe.lt"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103751/; classtype:trojan-activity;sid:80966851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/012019/"; http_uri; depth:18; isdataat:!1,relative; content:"dyefusion.lesetoilesdelarive.ca"; http_host; depth:31; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103750/; classtype:trojan-activity;sid:80966850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients_information/2019-01/"; http_uri; depth:29; isdataat:!1,relative; content:"mediconline.md"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103749/; classtype:trojan-activity;sid:80966849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"trehoadatoanthan.info"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103748/; classtype:trojan-activity;sid:80966848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sgojjeih/"; http_uri; depth:10; isdataat:!1,relative; content:"mosgasclub.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103747/; classtype:trojan-activity;sid:80966847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/4imbavzs/"; http_uri; depth:10; isdataat:!1,relative; content:"aseman-co.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103746/; classtype:trojan-activity;sid:80966846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x4h2lgtb6t/"; http_uri; depth:12; isdataat:!1,relative; content:"veenhuis.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103745/; classtype:trojan-activity;sid:80966845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/clients/01_19/"; http_uri; depth:26; isdataat:!1,relative; content:"www.ermaproduction.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103744/; classtype:trojan-activity;sid:80966844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/01_19/"; http_uri; depth:17; isdataat:!1,relative; content:"mataukitaip.ekovalstybe.lt"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103742/; classtype:trojan-activity;sid:80966842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wf/clickupn=cd32epmub8fcgafasmf8ow1hh1eveag7ujz7lfmtysn-2by8mvpoo30locfftihfzq91ztvfp5l5sfyr-2b9yw9b5w-3d-3d_gj-2bg1rsc8ockvxtuao5lixqzc1tfwkkwxtsocxy3vikprgpeizv8c1wrx3bcjepczconoge5-2bcj4izalikblajd-2fatlj5tu3mktfg6qzqezgup1hnp-2f2hpqaaonedxn4o59wdi2yvasu4jhueebwg-2bdwpkqqegzub3eofnxfvn4cpvrxcu1xquipyw68v5spe832cgzzgjzj-2bqcky0egxmxtnsxwcbtup2kti3jfjzk-3d/"; http_uri; depth:361; isdataat:!1,relative; content:"sendgrid2.oicgulf.ae"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103743/; classtype:trojan-activity;sid:80966843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/information/012019/"; http_uri; depth:20; isdataat:!1,relative; content:"vakilehamrah.ir"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103741/; classtype:trojan-activity;sid:80966841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/transaction_details/01_19/"; http_uri; depth:27; isdataat:!1,relative; content:"donidonggiay.net"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:url, urlhaus.abuse.ch/url/103740/; classtype:trojan-activity;sid:80966840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/attachments/2019-01/"; http_uri; depth:21; isdataat:!1,relative; content:"scullytrucking.digitalmindtec.com"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_01_15; reference:ur