################################################################ # abuse.ch URLhaus IDS ruleset (Snort / Suricata) # # Last updated: 2019-07-20 02:25:06 (UTC) # # # # Terms Of Use: https://urlhaus.abuse.ch/api/ # # For questions please contact urlhaus [at] abuse.ch # ################################################################ # # url alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2017/_output636b100.exe"; http_uri; depth:43; isdataat:!1,relative; content:"manplusvanlondon.co.uk"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_20; reference:url, urlhaus.abuse.ch/url/218270/; classtype:trojan-activity;sid:81081370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2017/bin2.exe"; http_uri; depth:33; isdataat:!1,relative; content:"manplusvanlondon.co.uk"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_20; reference:url, urlhaus.abuse.ch/url/218269/; classtype:trojan-activity;sid:81081369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2017/bin1.exe"; http_uri; depth:33; isdataat:!1,relative; content:"manplusvanlondon.co.uk"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_20; reference:url, urlhaus.abuse.ch/url/218268/; classtype:trojan-activity;sid:81081368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2013/_output2ea6100.exe"; http_uri; depth:43; isdataat:!1,relative; content:"manplusvanlondon.co.uk"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_20; reference:url, urlhaus.abuse.ch/url/218267/; classtype:trojan-activity;sid:81081367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/divi/psd/1c.jpg"; http_uri; depth:34; isdataat:!1,relative; content:"thierry-ginon-avocat.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_20; reference:url, urlhaus.abuse.ch/url/218266/; classtype:trojan-activity;sid:81081366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2017/bin3.exe"; http_uri; depth:33; isdataat:!1,relative; content:"manplusvanlondon.co.uk"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_20; reference:url, urlhaus.abuse.ch/url/218265/; classtype:trojan-activity;sid:81081365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/joomspirit_99/html/com_content/article/1c.jpg"; http_uri; depth:56; isdataat:!1,relative; content:"phildemexpress.fr"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_20; reference:url, urlhaus.abuse.ch/url/218264/; classtype:trojan-activity;sid:81081364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/download/invoice_for%20payment-067893623_doc.exe"; http_uri; depth:49; isdataat:!1,relative; content:"fonestora.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218263/; classtype:trojan-activity;sid:81081363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lok.exe"; http_uri; depth:8; isdataat:!1,relative; content:"legendceylontea.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218261/; classtype:trojan-activity;sid:81081361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/controltestsample_tnnbtib.meow"; http_uri; depth:31; isdataat:!1,relative; content:"www.mrcday.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218260/; classtype:trojan-activity;sid:81081360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2017/_output636b100.exe"; http_uri; depth:43; isdataat:!1,relative; content:"www.manplusvanlondon.co.uk"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218259/; classtype:trojan-activity;sid:81081359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2017/bin2.exe"; http_uri; depth:33; isdataat:!1,relative; content:"www.manplusvanlondon.co.uk"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218258/; classtype:trojan-activity;sid:81081358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2017/bin1.exe"; http_uri; depth:33; isdataat:!1,relative; content:"www.manplusvanlondon.co.uk"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218257/; classtype:trojan-activity;sid:81081357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/vg-bellheim/css/1c.jpg"; http_uri; depth:41; isdataat:!1,relative; content:"www.feuerwehr-vgbellheim.de"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218256/; classtype:trojan-activity;sid:81081356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/jabellatrix/scripts/1c.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"smartline.com.ua"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218255/; classtype:trojan-activity;sid:81081355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dyke.exe"; http_uri; depth:9; isdataat:!1,relative; content:"valiantlogistics.org"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218253/; classtype:trojan-activity;sid:81081353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ifeanyi.exe"; http_uri; depth:12; isdataat:!1,relative; content:"valiantlogistics.org"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218252/; classtype:trojan-activity;sid:81081352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bukak.exe"; http_uri; depth:10; isdataat:!1,relative; content:"ktkingtiger.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218251/; classtype:trojan-activity;sid:81081351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/leemans/1c.jpg"; http_uri; depth:15; isdataat:!1,relative; content:"leemansuitvaartverzorging.nl"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218250/; classtype:trojan-activity;sid:81081350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/cache/et/16/1c.jpg"; http_uri; depth:30; isdataat:!1,relative; content:"jbc-fakiromania.fr"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218249/; classtype:trojan-activity;sid:81081349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bukazo.exe"; http_uri; depth:11; isdataat:!1,relative; content:"ktkingtiger.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218248/; classtype:trojan-activity;sid:81081348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/samuel.exe"; http_uri; depth:11; isdataat:!1,relative; content:"valiantlogistics.org"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218247/; classtype:trojan-activity;sid:81081347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/administrator/backups/1c.jpg"; http_uri; depth:29; isdataat:!1,relative; content:"www.uitvaartondernemingmade.nl"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218245/; classtype:trojan-activity;sid:81081345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/leemans/1c.jpg"; http_uri; depth:15; isdataat:!1,relative; content:"www.leemansuitvaartverzorging.nl"; http_host; depth:32; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218244/; classtype:trojan-activity;sid:81081344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rigistry2.exe"; http_uri; depth:14; isdataat:!1,relative; content:"certifiedlogistics.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218243/; classtype:trojan-activity;sid:81081343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/divi/core/admin/css/1c.jpg"; http_uri; depth:45; isdataat:!1,relative; content:"www.thierry-ginon-avocat.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218242/; classtype:trojan-activity;sid:81081342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sarsnet2.exe"; http_uri; depth:13; isdataat:!1,relative; content:"certifiedlogistics.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218240/; classtype:trojan-activity;sid:81081340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/administrator/backups/1c.jpg"; http_uri; depth:29; isdataat:!1,relative; content:"uitvaartondernemingmade.nl"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218239/; classtype:trojan-activity;sid:81081339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/nativechurch/css/fonts/1c.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"fellowshipchurch.info"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218238/; classtype:trojan-activity;sid:81081338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/suffusion/custom/1c.jpg"; http_uri; depth:42; isdataat:!1,relative; content:"jobinspektor.de"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218236/; classtype:trojan-activity;sid:81081336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/musicplay/framework/admin/css/images/1c.jpg"; http_uri; depth:62; isdataat:!1,relative; content:"radiobangfm.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218235/; classtype:trojan-activity;sid:81081335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/oshin/css/admin/1c.jpg"; http_uri; depth:41; isdataat:!1,relative; content:"pestina.ro"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218234/; classtype:trojan-activity;sid:81081334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2017/bin3.exe"; http_uri; depth:33; isdataat:!1,relative; content:"www.manplusvanlondon.co.uk"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218233/; classtype:trojan-activity;sid:81081333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/shaper_simplicity_ii/js/1c.jpg"; http_uri; depth:41; isdataat:!1,relative; content:"complanbt.hu"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218232/; classtype:trojan-activity;sid:81081332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cd/0/get/ald1q1ktv_5y9fopofdt4c3-vapjjku9t3_n-32mw9o2mr7qb-puabgzklswlh_0fhdamfnzfhigfl5zbyf2c7yufutk07vzghqbjpkljo4jlg/filedl=1"; http_uri; depth:129; isdataat:!1,relative; content:"uc3ced7301ee1a2498ba72cd8c61.dl.dropboxusercontent.com"; http_host; depth:54; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218231/; classtype:trojan-activity;sid:81081331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/avada/assets/admin/css/1c.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"www.mindfulenmeer.nl"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218230/; classtype:trojan-activity;sid:81081330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/api/sysguard.exe"; http_uri; depth:17; isdataat:!1,relative; content:"de.gsearch.com.de"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218229/; classtype:trojan-activity;sid:81081329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rfq.exe"; http_uri; depth:8; isdataat:!1,relative; content:"ssaov.co.uk"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218228/; classtype:trojan-activity;sid:81081328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ee/0660957"; http_uri; depth:11; isdataat:!1,relative; content:"35.225.200.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218227/; classtype:trojan-activity;sid:81081327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/blogs.dir/1c.jpg"; http_uri; depth:28; isdataat:!1,relative; content:"deecreationnphotography.tk"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218226/; classtype:trojan-activity;sid:81081326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/impreza-2/css/1c.jpg"; http_uri; depth:39; isdataat:!1,relative; content:"leemansuitvaartverzorging.nl"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218225/; classtype:trojan-activity;sid:81081325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/divi/psd/1c.jpg"; http_uri; depth:34; isdataat:!1,relative; content:"www.thierry-ginon-avocat.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218224/; classtype:trojan-activity;sid:81081324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/majorzerodayworkingon"; http_uri; depth:22; isdataat:!1,relative; content:"gg.gg"; http_host; depth:5; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218223/; classtype:trojan-activity;sid:81081323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/divi/images/1c.jpg"; http_uri; depth:37; isdataat:!1,relative; content:"jenniferwaugh.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218221/; classtype:trojan-activity;sid:81081321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/enfold/config-gravityforms/1c.jpg"; http_uri; depth:52; isdataat:!1,relative; content:"umcsholding.nl"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218219/; classtype:trojan-activity;sid:81081319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3rjicjcflbunxmo.exe"; http_uri; depth:20; isdataat:!1,relative; content:"ambition.bg"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218218/; classtype:trojan-activity;sid:81081318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.m68k"; http_uri; depth:16; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218217/; classtype:trojan-activity;sid:81081317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/a.i686"; http_uri; depth:12; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218215/; classtype:trojan-activity;sid:81081315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/a.mpsl"; http_uri; depth:12; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218216/; classtype:trojan-activity;sid:81081316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/a.arm"; http_uri; depth:11; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218213/; classtype:trojan-activity;sid:81081313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/a.arm5"; http_uri; depth:12; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218214/; classtype:trojan-activity;sid:81081314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218212/; classtype:trojan-activity;sid:81081312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.spc"; http_uri; depth:16; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218211/; classtype:trojan-activity;sid:81081311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218209/; classtype:trojan-activity;sid:81081309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218210/; classtype:trojan-activity;sid:81081310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.kill"; http_uri; depth:17; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218207/; classtype:trojan-activity;sid:81081307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.mips"; http_uri; depth:17; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218208/; classtype:trojan-activity;sid:81081308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218206/; classtype:trojan-activity;sid:81081306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218204/; classtype:trojan-activity;sid:81081304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.i686"; http_uri; depth:17; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218205/; classtype:trojan-activity;sid:81081305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218202/; classtype:trojan-activity;sid:81081302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218203/; classtype:trojan-activity;sid:81081303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.arm"; http_uri; depth:16; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218201/; classtype:trojan-activity;sid:81081301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.arc"; http_uri; depth:16; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218200/; classtype:trojan-activity;sid:81081300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/shibui.x86"; http_uri; depth:16; isdataat:!1,relative; content:"178.62.26.209"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218199/; classtype:trojan-activity;sid:81081299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kowai.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218198/; classtype:trojan-activity;sid:81081298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kowai.spc"; http_uri; depth:10; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218197/; classtype:trojan-activity;sid:81081297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kowai.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218196/; classtype:trojan-activity;sid:81081296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kowai.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218195/; classtype:trojan-activity;sid:81081295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kowai.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218194/; classtype:trojan-activity;sid:81081294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kowai.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218193/; classtype:trojan-activity;sid:81081293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kowai.arm"; http_uri; depth:10; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218192/; classtype:trojan-activity;sid:81081292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kowai.x86"; http_uri; depth:10; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218191/; classtype:trojan-activity;sid:81081291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218190/; classtype:trojan-activity;sid:81081290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218189/; classtype:trojan-activity;sid:81081289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.spc"; http_uri; depth:16; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218188/; classtype:trojan-activity;sid:81081288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218187/; classtype:trojan-activity;sid:81081287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mips"; http_uri; depth:17; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218186/; classtype:trojan-activity;sid:81081286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218185/; classtype:trojan-activity;sid:81081285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218184/; classtype:trojan-activity;sid:81081284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218183/; classtype:trojan-activity;sid:81081283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm"; http_uri; depth:16; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218182/; classtype:trojan-activity;sid:81081282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.x86"; http_uri; depth:16; isdataat:!1,relative; content:"211.104.242.105"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218181/; classtype:trojan-activity;sid:81081281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.spc"; http_uri; depth:14; isdataat:!1,relative; content:"89.35.39.74"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218180/; classtype:trojan-activity;sid:81081280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"89.35.39.74"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218178/; classtype:trojan-activity;sid:81081278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"89.35.39.74"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218179/; classtype:trojan-activity;sid:81081279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"89.35.39.74"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218176/; classtype:trojan-activity;sid:81081276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.mips"; http_uri; depth:15; isdataat:!1,relative; content:"89.35.39.74"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218177/; classtype:trojan-activity;sid:81081277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"89.35.39.74"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218175/; classtype:trojan-activity;sid:81081275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.x86"; http_uri; depth:14; isdataat:!1,relative; content:"89.35.39.74"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218174/; classtype:trojan-activity;sid:81081274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/onepress/inc/admin/1c.jpg"; http_uri; depth:44; isdataat:!1,relative; content:"scientificvoice.xyz"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218173/; classtype:trojan-activity;sid:81081273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.mpsl"; http_uri; depth:16; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218172/; classtype:trojan-activity;sid:81081272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.mips"; http_uri; depth:16; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218171/; classtype:trojan-activity;sid:81081271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.ppc"; http_uri; depth:15; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218170/; classtype:trojan-activity;sid:81081270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.sh4"; http_uri; depth:15; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218169/; classtype:trojan-activity;sid:81081269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.spc"; http_uri; depth:15; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218168/; classtype:trojan-activity;sid:81081268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.arm7"; http_uri; depth:16; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218166/; classtype:trojan-activity;sid:81081266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.x86"; http_uri; depth:15; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218167/; classtype:trojan-activity;sid:81081267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.arm5"; http_uri; depth:16; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218164/; classtype:trojan-activity;sid:81081264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.arm6"; http_uri; depth:16; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218165/; classtype:trojan-activity;sid:81081265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.arm"; http_uri; depth:15; isdataat:!1,relative; content:"167.71.52.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218163/; classtype:trojan-activity;sid:81081263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218162/; classtype:trojan-activity;sid:81081262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.spc"; http_uri; depth:21; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218161/; classtype:trojan-activity;sid:81081261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218160/; classtype:trojan-activity;sid:81081260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mpsl"; http_uri; depth:22; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218159/; classtype:trojan-activity;sid:81081259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218158/; classtype:trojan-activity;sid:81081258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.m68k"; http_uri; depth:22; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218157/; classtype:trojan-activity;sid:81081257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218156/; classtype:trojan-activity;sid:81081256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218155/; classtype:trojan-activity;sid:81081255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218154/; classtype:trojan-activity;sid:81081254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm"; http_uri; depth:21; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218153/; classtype:trojan-activity;sid:81081253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"167.71.176.174"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218152/; classtype:trojan-activity;sid:81081252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218150/; classtype:trojan-activity;sid:81081250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218149/; classtype:trojan-activity;sid:81081249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.spc"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218151/; classtype:trojan-activity;sid:81081251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.mips"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218147/; classtype:trojan-activity;sid:81081247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218148/; classtype:trojan-activity;sid:81081248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.x86"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218146/; classtype:trojan-activity;sid:81081246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218143/; classtype:trojan-activity;sid:81081243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218144/; classtype:trojan-activity;sid:81081244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218145/; classtype:trojan-activity;sid:81081245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.arm"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.108.102"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218142/; classtype:trojan-activity;sid:81081242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218141/; classtype:trojan-activity;sid:81081241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.spc"; http_uri; depth:21; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218140/; classtype:trojan-activity;sid:81081240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218139/; classtype:trojan-activity;sid:81081239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mpsl"; http_uri; depth:22; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218138/; classtype:trojan-activity;sid:81081238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218137/; classtype:trojan-activity;sid:81081237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.m68k"; http_uri; depth:22; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218136/; classtype:trojan-activity;sid:81081236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218135/; classtype:trojan-activity;sid:81081235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218134/; classtype:trojan-activity;sid:81081234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218133/; classtype:trojan-activity;sid:81081233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm"; http_uri; depth:21; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218132/; classtype:trojan-activity;sid:81081232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"159.203.5.114"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218131/; classtype:trojan-activity;sid:81081231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218130/; classtype:trojan-activity;sid:81081230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218129/; classtype:trojan-activity;sid:81081229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.spc"; http_uri; depth:21; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218128/; classtype:trojan-activity;sid:81081228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mpsl"; http_uri; depth:22; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218127/; classtype:trojan-activity;sid:81081227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218126/; classtype:trojan-activity;sid:81081226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.m68k"; http_uri; depth:22; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218125/; classtype:trojan-activity;sid:81081225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218124/; classtype:trojan-activity;sid:81081224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218123/; classtype:trojan-activity;sid:81081223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218122/; classtype:trojan-activity;sid:81081222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm"; http_uri; depth:21; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218121/; classtype:trojan-activity;sid:81081221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"142.93.145.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218120/; classtype:trojan-activity;sid:81081220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/isu80"; http_uri; depth:6; isdataat:!1,relative; content:"23.247.66.110"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218119/; classtype:trojan-activity;sid:81081219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2019/03/05.rar"; http_uri; depth:15; isdataat:!1,relative; content:"conntest.net"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218118/; classtype:trojan-activity;sid:81081218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upo.exe"; http_uri; depth:8; isdataat:!1,relative; content:"193.32.161.69"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218117/; classtype:trojan-activity;sid:81081217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mswiner.exe"; http_uri; depth:12; isdataat:!1,relative; content:"bali24.pl"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218116/; classtype:trojan-activity;sid:81081216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/download/invoice_for%20payment-024882015_pdf.exe"; http_uri; depth:49; isdataat:!1,relative; content:"fonestora.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218115/; classtype:trojan-activity;sid:81081215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxtf"; http_uri; depth:8; isdataat:!1,relative; content:"blogbak.xxwlt.cn"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218114/; classtype:trojan-activity;sid:81081214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono10hles.exe"; http_uri; depth:21; isdataat:!1,relative; content:"ambari.co.in"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218113/; classtype:trojan-activity;sid:81081213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono10klire.exe"; http_uri; depth:22; isdataat:!1,relative; content:"amanchemicalsindia.in"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218112/; classtype:trojan-activity;sid:81081212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ono10hles.exe"; http_uri; depth:14; isdataat:!1,relative; content:"aloe-drink.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218111/; classtype:trojan-activity;sid:81081211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono10klire.exe"; http_uri; depth:22; isdataat:!1,relative; content:"alco.co.in"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218110/; classtype:trojan-activity;sid:81081210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono10hlpb.exe"; http_uri; depth:21; isdataat:!1,relative; content:"ahangamalmagate.co.za"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218109/; classtype:trojan-activity;sid:81081209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono9fvbrda.exe"; http_uri; depth:22; isdataat:!1,relative; content:"admimm.cl"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218108/; classtype:trojan-activity;sid:81081208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono9klpsw.exe"; http_uri; depth:21; isdataat:!1,relative; content:"acaciarodriguez.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218107/; classtype:trojan-activity;sid:81081207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono9fvbrda.exe"; http_uri; depth:22; isdataat:!1,relative; content:"acaciarodriguez.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218106/; classtype:trojan-activity;sid:81081206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono10hles.exe"; http_uri; depth:21; isdataat:!1,relative; content:"amcgsr.com.mx"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218105/; classtype:trojan-activity;sid:81081205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ono10klire.exe"; http_uri; depth:22; isdataat:!1,relative; content:"ambrosiapanama.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218104/; classtype:trojan-activity;sid:81081204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fonts/ono10hlpb.exe"; http_uri; depth:20; isdataat:!1,relative; content:"ambivium.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218103/; classtype:trojan-activity;sid:81081203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bu4.rar"; http_uri; depth:8; isdataat:!1,relative; content:"192.236.194.164"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218102/; classtype:trojan-activity;sid:81081202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyfifteen/css/image.exe"; http_uri; depth:46; isdataat:!1,relative; content:"sts-tech.tn"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218101/; classtype:trojan-activity;sid:81081201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/client.rar"; http_uri; depth:11; isdataat:!1,relative; content:"185.212.47.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218100/; classtype:trojan-activity;sid:81081200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unydrk"; http_uri; depth:7; isdataat:!1,relative; content:"faraweel.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218099/; classtype:trojan-activity;sid:81081199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/udp888"; http_uri; depth:7; isdataat:!1,relative; content:"111.6.76.54"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218098/; classtype:trojan-activity;sid:81081198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/syn888"; http_uri; depth:7; isdataat:!1,relative; content:"111.6.76.54"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218097/; classtype:trojan-activity;sid:81081197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lh.exe"; http_uri; depth:7; isdataat:!1,relative; content:"111.6.76.54"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218096/; classtype:trojan-activity;sid:81081196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ddl"; http_uri; depth:4; isdataat:!1,relative; content:"103.118.221.190"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218095/; classtype:trojan-activity;sid:81081195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ldd"; http_uri; depth:4; isdataat:!1,relative; content:"103.118.221.190"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218094/; classtype:trojan-activity;sid:81081194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yk.exe"; http_uri; depth:7; isdataat:!1,relative; content:"103.118.221.190"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218093/; classtype:trojan-activity;sid:81081193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/updater.exe"; http_uri; depth:12; isdataat:!1,relative; content:"152.89.244.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218092/; classtype:trojan-activity;sid:81081192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218091/; classtype:trojan-activity;sid:81081191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218089/; classtype:trojan-activity;sid:81081189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.spc"; http_uri; depth:21; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218090/; classtype:trojan-activity;sid:81081190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218088/; classtype:trojan-activity;sid:81081188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mpsl"; http_uri; depth:22; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218087/; classtype:trojan-activity;sid:81081187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.m68k"; http_uri; depth:22; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218085/; classtype:trojan-activity;sid:81081185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218086/; classtype:trojan-activity;sid:81081186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218084/; classtype:trojan-activity;sid:81081184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218082/; classtype:trojan-activity;sid:81081182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218083/; classtype:trojan-activity;sid:81081183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm"; http_uri; depth:21; isdataat:!1,relative; content:"80.211.6.90"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218081/; classtype:trojan-activity;sid:81081181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1xmqcc"; http_uri; depth:7; isdataat:!1,relative; content:"bestmekongdeltatours.vn"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218080/; classtype:trojan-activity;sid:81081180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm6"; http_uri; depth:5; isdataat:!1,relative; content:"134.19.188.108"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218079/; classtype:trojan-activity;sid:81081179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"134.19.188.108"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218078/; classtype:trojan-activity;sid:81081178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"134.19.188.108"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218077/; classtype:trojan-activity;sid:81081177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"134.19.188.108"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218076/; classtype:trojan-activity;sid:81081176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"134.19.188.108"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218075/; classtype:trojan-activity;sid:81081175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"134.19.188.108"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218073/; classtype:trojan-activity;sid:81081173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"134.19.188.108"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218074/; classtype:trojan-activity;sid:81081174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/prom/new_order_3100191302_pdf.gz"; http_uri; depth:33; isdataat:!1,relative; content:"sxhts-group.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218072/; classtype:trojan-activity;sid:81081172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pro/new_order_3100191302_pdf.gz"; http_uri; depth:32; isdataat:!1,relative; content:"sxhts-group.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218071/; classtype:trojan-activity;sid:81081171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ez/po_3100191302_pdf%20%20%20igst.com.gz"; http_uri; depth:41; isdataat:!1,relative; content:"sxhts-group.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218070/; classtype:trojan-activity;sid:81081170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/chr/new_order_3100191302_pdf.gz"; http_uri; depth:32; isdataat:!1,relative; content:"sxhts-group.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218069/; classtype:trojan-activity;sid:81081169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.spc"; http_uri; depth:12; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218067/; classtype:trojan-activity;sid:81081167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.x86"; http_uri; depth:12; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218068/; classtype:trojan-activity;sid:81081168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.ppc"; http_uri; depth:12; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218065/; classtype:trojan-activity;sid:81081165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.sh4"; http_uri; depth:12; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218066/; classtype:trojan-activity;sid:81081166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.mips"; http_uri; depth:13; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218063/; classtype:trojan-activity;sid:81081163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.mpsl"; http_uri; depth:13; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218064/; classtype:trojan-activity;sid:81081164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.arm7"; http_uri; depth:13; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218061/; classtype:trojan-activity;sid:81081161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.m68k"; http_uri; depth:13; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218062/; classtype:trojan-activity;sid:81081162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.arm5"; http_uri; depth:13; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218059/; classtype:trojan-activity;sid:81081159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.arm6"; http_uri; depth:13; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218060/; classtype:trojan-activity;sid:81081160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ok.arm"; http_uri; depth:12; isdataat:!1,relative; content:"195.231.6.216"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218058/; classtype:trojan-activity;sid:81081158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jshg8q"; http_uri; depth:7; isdataat:!1,relative; content:"colorlib.net"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218057/; classtype:trojan-activity;sid:81081157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-test.php"; http_uri; depth:12; isdataat:!1,relative; content:"www.abidyahya.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218056/; classtype:trojan-activity;sid:81081156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/imageresize.php"; http_uri; depth:23; isdataat:!1,relative; content:"amcgsr.com.mx"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218055/; classtype:trojan-activity;sid:81081155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/imagedb.php"; http_uri; depth:19; isdataat:!1,relative; content:"ambrosiapanama.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218054/; classtype:trojan-activity;sid:81081154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fonts/myriad-pro-installerr.php"; http_uri; depth:32; isdataat:!1,relative; content:"ambivium.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218053/; classtype:trojan-activity;sid:81081153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/view_install.php"; http_uri; depth:24; isdataat:!1,relative; content:"ambari.co.in"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218052/; classtype:trojan-activity;sid:81081152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/visual.php"; http_uri; depth:18; isdataat:!1,relative; content:"amanchemicalsindia.in"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218051/; classtype:trojan-activity;sid:81081151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/view.php"; http_uri; depth:16; isdataat:!1,relative; content:"alternativemedicinenis.com.au"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218050/; classtype:trojan-activity;sid:81081150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/host.php"; http_uri; depth:9; isdataat:!1,relative; content:"aloe-drink.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218049/; classtype:trojan-activity;sid:81081149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/flash_viewer.php"; http_uri; depth:24; isdataat:!1,relative; content:"alco.co.in"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218048/; classtype:trojan-activity;sid:81081148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/image_resizer.php"; http_uri; depth:25; isdataat:!1,relative; content:"ahangamalmagate.co.za"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218047/; classtype:trojan-activity;sid:81081147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/watermarks.php"; http_uri; depth:22; isdataat:!1,relative; content:"adminsystemcr.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218046/; classtype:trojan-activity;sid:81081146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/flash_download.php"; http_uri; depth:26; isdataat:!1,relative; content:"admimm.cl"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218045/; classtype:trojan-activity;sid:81081145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/media.php"; http_uri; depth:10; isdataat:!1,relative; content:"accompagnatricidilusso.net"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218044/; classtype:trojan-activity;sid:81081144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/gif_animator.php"; http_uri; depth:24; isdataat:!1,relative; content:"acaciarodriguez.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218043/; classtype:trojan-activity;sid:81081143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/backup.php"; http_uri; depth:11; isdataat:!1,relative; content:"abarkagambia.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218042/; classtype:trojan-activity;sid:81081142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef11.gxl"; http_uri; depth:28; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218041/; classtype:trojan-activity;sid:81081141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef10.gxl"; http_uri; depth:28; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218040/; classtype:trojan-activity;sid:81081140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef9.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218039/; classtype:trojan-activity;sid:81081139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef7.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218037/; classtype:trojan-activity;sid:81081137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef8.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218038/; classtype:trojan-activity;sid:81081138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef3.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218033/; classtype:trojan-activity;sid:81081133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef4.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218034/; classtype:trojan-activity;sid:81081134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef5.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218035/; classtype:trojan-activity;sid:81081135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef6.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218036/; classtype:trojan-activity;sid:81081136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef1.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218031/; classtype:trojan-activity;sid:81081131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=typef2.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"d18646broderick.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218032/; classtype:trojan-activity;sid:81081132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ee/2067779"; http_uri; depth:11; isdataat:!1,relative; content:"35.225.200.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218030/; classtype:trojan-activity;sid:81081130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sqdwbqss.exe"; http_uri; depth:13; isdataat:!1,relative; content:"m.put.re"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218029/; classtype:trojan-activity;sid:81081129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ghjtpfnwe=1"; http_uri; depth:12; isdataat:!1,relative; content:"thebohuff.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218028/; classtype:trojan-activity;sid:81081128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pm1"; http_uri; depth:4; isdataat:!1,relative; content:"139.180.195.36"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218027/; classtype:trojan-activity;sid:81081127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pm2"; http_uri; depth:4; isdataat:!1,relative; content:"139.180.195.36"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218026/; classtype:trojan-activity;sid:81081126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/p2"; http_uri; depth:3; isdataat:!1,relative; content:"139.180.195.36"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218025/; classtype:trojan-activity;sid:81081125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/p1"; http_uri; depth:3; isdataat:!1,relative; content:"139.180.195.36"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218024/; classtype:trojan-activity;sid:81081124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pagnupo27.php"; http_uri; depth:14; isdataat:!1,relative; content:"wyattspaintbody.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218023/; classtype:trojan-activity;sid:81081123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/cliente22/or%c3%a7amento%20de%20maio.msi"; http_uri; depth:46; isdataat:!1,relative; content:"f002.backblazeb2.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218021/; classtype:trojan-activity;sid:81081121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1989/23/ojan.doc"; http_uri; depth:17; isdataat:!1,relative; content:"holmnkolbas.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218020/; classtype:trojan-activity;sid:81081120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kabozadysag.exe"; http_uri; depth:16; isdataat:!1,relative; content:"216.170.114.196"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218019/; classtype:trojan-activity;sid:81081119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/123/dukeboys.msi"; http_uri; depth:17; isdataat:!1,relative; content:"baladefarms-com.ga"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218018/; classtype:trojan-activity;sid:81081118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tuesday/rain-amamx.exe"; http_uri; depth:23; isdataat:!1,relative; content:"climapro-africa.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218017/; classtype:trojan-activity;sid:81081117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/friday/newhyde.exe"; http_uri; depth:19; isdataat:!1,relative; content:"climapro-africa.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218016/; classtype:trojan-activity;sid:81081116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/msword2019.exe"; http_uri; depth:15; isdataat:!1,relative; content:"165.22.253.11"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218015/; classtype:trojan-activity;sid:81081115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv7l"; http_uri; depth:19; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218014/; classtype:trojan-activity;sid:81081114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218012/; classtype:trojan-activity;sid:81081112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218013/; classtype:trojan-activity;sid:81081113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/noir_m.ips"; http_uri; depth:11; isdataat:!1,relative; content:"151.80.209.229"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218011/; classtype:trojan-activity;sid:81081111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv6l"; http_uri; depth:19; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218010/; classtype:trojan-activity;sid:81081110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.i586"; http_uri; depth:12; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218009/; classtype:trojan-activity;sid:81081109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.powerpc"; http_uri; depth:20; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218008/; classtype:trojan-activity;sid:81081108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218007/; classtype:trojan-activity;sid:81081107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/noir_m.68k"; http_uri; depth:11; isdataat:!1,relative; content:"151.80.209.229"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218006/; classtype:trojan-activity;sid:81081106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218005/; classtype:trojan-activity;sid:81081105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x32"; http_uri; depth:11; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218004/; classtype:trojan-activity;sid:81081104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.sparc"; http_uri; depth:18; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218003/; classtype:trojan-activity;sid:81081103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218002/; classtype:trojan-activity;sid:81081102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv4l"; http_uri; depth:19; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218001/; classtype:trojan-activity;sid:81081101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/noir_x.32"; http_uri; depth:10; isdataat:!1,relative; content:"151.80.209.229"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/218000/; classtype:trojan-activity;sid:81081100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217999/; classtype:trojan-activity;sid:81081099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217997/; classtype:trojan-activity;sid:81081097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.i586"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217998/; classtype:trojan-activity;sid:81081098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217995/; classtype:trojan-activity;sid:81081095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217996/; classtype:trojan-activity;sid:81081096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217994/; classtype:trojan-activity;sid:81081094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.199.96"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217993/; classtype:trojan-activity;sid:81081093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.i686"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217992/; classtype:trojan-activity;sid:81081092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.199.96"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217991/; classtype:trojan-activity;sid:81081091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/noir_p.pc"; http_uri; depth:10; isdataat:!1,relative; content:"151.80.209.229"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217989/; classtype:trojan-activity;sid:81081089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/noir_s.h4"; http_uri; depth:10; isdataat:!1,relative; content:"151.80.209.229"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217990/; classtype:trojan-activity;sid:81081090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"165.22.199.96"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217986/; classtype:trojan-activity;sid:81081086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.x86"; http_uri; depth:16; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217987/; classtype:trojan-activity;sid:81081087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217988/; classtype:trojan-activity;sid:81081088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217985/; classtype:trojan-activity;sid:81081085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217984/; classtype:trojan-activity;sid:81081084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217983/; classtype:trojan-activity;sid:81081083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217982/; classtype:trojan-activity;sid:81081082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/noir_i.586"; http_uri; depth:11; isdataat:!1,relative; content:"151.80.209.229"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217981/; classtype:trojan-activity;sid:81081081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.199.96"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217980/; classtype:trojan-activity;sid:81081080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217979/; classtype:trojan-activity;sid:81081079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/noir_m.psl"; http_uri; depth:11; isdataat:!1,relative; content:"151.80.209.229"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217978/; classtype:trojan-activity;sid:81081078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217977/; classtype:trojan-activity;sid:81081077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217975/; classtype:trojan-activity;sid:81081075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.mipsel"; http_uri; depth:19; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217976/; classtype:trojan-activity;sid:81081076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/noir_a.rm4"; http_uri; depth:11; isdataat:!1,relative; content:"151.80.209.229"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217974/; classtype:trojan-activity;sid:81081074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217972/; classtype:trojan-activity;sid:81081072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.mips"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217973/; classtype:trojan-activity;sid:81081073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.199.96"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217971/; classtype:trojan-activity;sid:81081071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.199.96"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217970/; classtype:trojan-activity;sid:81081070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217968/; classtype:trojan-activity;sid:81081068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217969/; classtype:trojan-activity;sid:81081069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217967/; classtype:trojan-activity;sid:81081067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217966/; classtype:trojan-activity;sid:81081066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv5l"; http_uri; depth:19; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217964/; classtype:trojan-activity;sid:81081064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217965/; classtype:trojan-activity;sid:81081065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mips"; http_uri; depth:12; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217963/; classtype:trojan-activity;sid:81081063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"165.22.199.96"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217962/; classtype:trojan-activity;sid:81081062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217961/; classtype:trojan-activity;sid:81081061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mpsl"; http_uri; depth:12; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217960/; classtype:trojan-activity;sid:81081060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"165.22.203.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217959/; classtype:trojan-activity;sid:81081059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217958/; classtype:trojan-activity;sid:81081058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217957/; classtype:trojan-activity;sid:81081057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217956/; classtype:trojan-activity;sid:81081056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x86"; http_uri; depth:11; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217954/; classtype:trojan-activity;sid:81081054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217955/; classtype:trojan-activity;sid:81081055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"157.230.124.137"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217953/; classtype:trojan-activity;sid:81081053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"136.244.109.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217952/; classtype:trojan-activity;sid:81081052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217951/; classtype:trojan-activity;sid:81081051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217950/; classtype:trojan-activity;sid:81081050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tftp"; http_uri; depth:5; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217949/; classtype:trojan-activity;sid:81081049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/[cpu]"; http_uri; depth:6; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217948/; classtype:trojan-activity;sid:81081048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217947/; classtype:trojan-activity;sid:81081047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217946/; classtype:trojan-activity;sid:81081046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/css/ads_service.exe"; http_uri; depth:20; isdataat:!1,relative; content:"legacy-now.net"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217945/; classtype:trojan-activity;sid:81081045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/css/regedit_true.exe"; http_uri; depth:21; isdataat:!1,relative; content:"legacy-now.net"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217944/; classtype:trojan-activity;sid:81081044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217943/; classtype:trojan-activity;sid:81081043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217942/; classtype:trojan-activity;sid:81081042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217941/; classtype:trojan-activity;sid:81081041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217940/; classtype:trojan-activity;sid:81081040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217939/; classtype:trojan-activity;sid:81081039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"159.65.41.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217938/; classtype:trojan-activity;sid:81081038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a2nwdsf354gdf_signed.exe"; http_uri; depth:25; isdataat:!1,relative; content:"dfghdfghffd.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217937/; classtype:trojan-activity;sid:81081037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windis354hg.exe"; http_uri; depth:16; isdataat:!1,relative; content:"dfghdfghffd.ru"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217936/; classtype:trojan-activity;sid:81081036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/aa/doc2.exe"; http_uri; depth:12; isdataat:!1,relative; content:"edicustoms.com.au"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217935/; classtype:trojan-activity;sid:81081035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/casefile/adobe.exe"; http_uri; depth:24; isdataat:!1,relative; content:"f002.backblazeb2.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217934/; classtype:trojan-activity;sid:81081034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/555.exe"; http_uri; depth:8; isdataat:!1,relative; content:"111.230.7.153"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217933/; classtype:trojan-activity;sid:81081033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/val9fx4kx57wgrb.jpg"; http_uri; depth:20; isdataat:!1,relative; content:"ttdvl.s3.ca-central-1.amazonaws.com"; http_host; depth:35; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217932/; classtype:trojan-activity;sid:81081032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.i686"; http_uri; depth:11; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217931/; classtype:trojan-activity;sid:81081031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.i586"; http_uri; depth:11; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217930/; classtype:trojan-activity;sid:81081030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.mips"; http_uri; depth:11; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217929/; classtype:trojan-activity;sid:81081029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217928/; classtype:trojan-activity;sid:81081028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217927/; classtype:trojan-activity;sid:81081027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217926/; classtype:trojan-activity;sid:81081026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217925/; classtype:trojan-activity;sid:81081025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217924/; classtype:trojan-activity;sid:81081024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217923/; classtype:trojan-activity;sid:81081023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217922/; classtype:trojan-activity;sid:81081022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.x86"; http_uri; depth:10; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217921/; classtype:trojan-activity;sid:81081021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217919/; classtype:trojan-activity;sid:81081019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/q/seescenicelfq.exe"; http_uri; depth:20; isdataat:!1,relative; content:"www.kktoade.pw"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217918/; classtype:trojan-activity;sid:81081018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2/chuks.msi"; http_uri; depth:12; isdataat:!1,relative; content:"baladefarms-com.ga"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217917/; classtype:trojan-activity;sid:81081017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a/ug.msi"; http_uri; depth:9; isdataat:!1,relative; content:"baladefarms.ga"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217916/; classtype:trojan-activity;sid:81081016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/caro/like.exe"; http_uri; depth:14; isdataat:!1,relative; content:"hrklub-nop.hr"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217915/; classtype:trojan-activity;sid:81081015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x/ug.msi"; http_uri; depth:9; isdataat:!1,relative; content:"baladefarms-com.ga"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217913/; classtype:trojan-activity;sid:81081013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1/ug.msi"; http_uri; depth:9; isdataat:!1,relative; content:"baladefarms-com.ga"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217912/; classtype:trojan-activity;sid:81081012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x/kk.msi"; http_uri; depth:9; isdataat:!1,relative; content:"baladefarms-com.ga"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217911/; classtype:trojan-activity;sid:81081011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/carog/cool.exe"; http_uri; depth:15; isdataat:!1,relative; content:"hrklub-nop.hr"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217910/; classtype:trojan-activity;sid:81081010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/b/chuks.msi"; http_uri; depth:12; isdataat:!1,relative; content:"baladefarms.ga"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217909/; classtype:trojan-activity;sid:81081009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/55.exe"; http_uri; depth:7; isdataat:!1,relative; content:"194.61.1.86"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_19; reference:url, urlhaus.abuse.ch/url/217907/; classtype:trojan-activity;sid:81081007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ttttttttt.exe"; http_uri; depth:14; isdataat:!1,relative; content:"www.cilico.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217906/; classtype:trojan-activity;sid:81081006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.21.220"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217905/; classtype:trojan-activity;sid:81081005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"165.22.21.220"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217904/; classtype:trojan-activity;sid:81081004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.21.220"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217903/; classtype:trojan-activity;sid:81081003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"165.22.21.220"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217902/; classtype:trojan-activity;sid:81081002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.21.220"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217901/; classtype:trojan-activity;sid:81081001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"165.22.21.220"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217899/; classtype:trojan-activity;sid:81080999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.21.220"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217898/; classtype:trojan-activity;sid:81080998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.21.220"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217900/; classtype:trojan-activity;sid:81081000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/isu80"; http_uri; depth:6; isdataat:!1,relative; content:"104.223.142.185"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217897/; classtype:trojan-activity;sid:81080997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nolp/nextt-online-public/set_identcodes/lang/de/00360471204/upd365_58v02.exe"; http_uri; depth:77; isdataat:!1,relative; content:"luxuryvailrentals.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217896/; classtype:trojan-activity;sid:81080996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nolp/nextt-online-public/set_identcodes/lang/de/00360471204/upd365_6v02.exe"; http_uri; depth:76; isdataat:!1,relative; content:"luxuryvailrentals.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217894/; classtype:trojan-activity;sid:81080994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer10.gxl"; http_uri; depth:28; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217892/; classtype:trojan-activity;sid:81080992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer11.gxl"; http_uri; depth:28; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217893/; classtype:trojan-activity;sid:81080993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer6.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217888/; classtype:trojan-activity;sid:81080988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer7.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217889/; classtype:trojan-activity;sid:81080989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer8.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217890/; classtype:trojan-activity;sid:81080990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer9.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217891/; classtype:trojan-activity;sid:81080991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer1.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217883/; classtype:trojan-activity;sid:81080983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer2.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217884/; classtype:trojan-activity;sid:81080984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer3.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217885/; classtype:trojan-activity;sid:81080985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer4.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217886/; classtype:trojan-activity;sid:81080986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer5.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"tie281chad2.xyz"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217887/; classtype:trojan-activity;sid:81080987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.mips64"; http_uri; depth:11; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217882/; classtype:trojan-activity;sid:81080982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.arm7"; http_uri; depth:9; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217881/; classtype:trojan-activity;sid:81080981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.sh4"; http_uri; depth:8; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217880/; classtype:trojan-activity;sid:81080980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.x86"; http_uri; depth:8; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217879/; classtype:trojan-activity;sid:81080979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.spc"; http_uri; depth:8; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217878/; classtype:trojan-activity;sid:81080978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.ppc"; http_uri; depth:8; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217877/; classtype:trojan-activity;sid:81080977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.mpsl"; http_uri; depth:9; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217876/; classtype:trojan-activity;sid:81080976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.mips"; http_uri; depth:9; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217875/; classtype:trojan-activity;sid:81080975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.m68"; http_uri; depth:8; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217874/; classtype:trojan-activity;sid:81080974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.i686"; http_uri; depth:9; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217873/; classtype:trojan-activity;sid:81080973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.arm6"; http_uri; depth:9; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217872/; classtype:trojan-activity;sid:81080972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gsparc"; http_uri; depth:7; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217871/; classtype:trojan-activity;sid:81080971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gx86"; http_uri; depth:5; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217870/; classtype:trojan-activity;sid:81080970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gsh4"; http_uri; depth:5; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217869/; classtype:trojan-activity;sid:81080969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gppc"; http_uri; depth:5; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217868/; classtype:trojan-activity;sid:81080968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gmpsl"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217867/; classtype:trojan-activity;sid:81080967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gmips"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217866/; classtype:trojan-activity;sid:81080966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gm68k"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217865/; classtype:trojan-activity;sid:81080965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gi686"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217864/; classtype:trojan-activity;sid:81080964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gi586"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217863/; classtype:trojan-activity;sid:81080963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/garm7"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217862/; classtype:trojan-activity;sid:81080962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/garm6"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217861/; classtype:trojan-activity;sid:81080961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/garm5"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217860/; classtype:trojan-activity;sid:81080960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/garm4"; http_uri; depth:6; isdataat:!1,relative; content:"134.209.48.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217859/; classtype:trojan-activity;sid:81080959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217858/; classtype:trojan-activity;sid:81080958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217857/; classtype:trojan-activity;sid:81080957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217856/; classtype:trojan-activity;sid:81080956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217855/; classtype:trojan-activity;sid:81080955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217854/; classtype:trojan-activity;sid:81080954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217853/; classtype:trojan-activity;sid:81080953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217852/; classtype:trojan-activity;sid:81080952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217851/; classtype:trojan-activity;sid:81080951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217850/; classtype:trojan-activity;sid:81080950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217849/; classtype:trojan-activity;sid:81080949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217848/; classtype:trojan-activity;sid:81080948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.9.166"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217847/; classtype:trojan-activity;sid:81080947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.m68k"; http_uri; depth:22; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217845/; classtype:trojan-activity;sid:81080945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217846/; classtype:trojan-activity;sid:81080946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217843/; classtype:trojan-activity;sid:81080943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217844/; classtype:trojan-activity;sid:81080944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217841/; classtype:trojan-activity;sid:81080941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217842/; classtype:trojan-activity;sid:81080942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm4"; http_uri; depth:22; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217840/; classtype:trojan-activity;sid:81080940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217838/; classtype:trojan-activity;sid:81080938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mpsl"; http_uri; depth:22; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217839/; classtype:trojan-activity;sid:81080939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.200.179"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217837/; classtype:trojan-activity;sid:81080937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.arm5"; http_uri; depth:9; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217836/; classtype:trojan-activity;sid:81080936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.arm4t"; http_uri; depth:10; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217835/; classtype:trojan-activity;sid:81080935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/try.arm4"; http_uri; depth:9; isdataat:!1,relative; content:"198.12.97.72"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217834/; classtype:trojan-activity;sid:81080934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/great.exe"; http_uri; depth:16; isdataat:!1,relative; content:"www.espera-de.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217833/; classtype:trojan-activity;sid:81080933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2019/07/hjkf/information_09xz.doc"; http_uri; depth:53; isdataat:!1,relative; content:"sar-taxi.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217832/; classtype:trojan-activity;sid:81080932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2019/07/hjkf/uuz.exe"; http_uri; depth:40; isdataat:!1,relative; content:"sherzerinsurance.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217831/; classtype:trojan-activity;sid:81080931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/san.exe"; http_uri; depth:8; isdataat:!1,relative; content:"amarcoldstorage.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217830/; classtype:trojan-activity;sid:81080930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/trefzerit_n_2/css/1c.jpg"; http_uri; depth:35; isdataat:!1,relative; content:"trefzer-it.de"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217828/; classtype:trojan-activity;sid:81080928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/multilingual-press/inc/1.exe"; http_uri; depth:48; isdataat:!1,relative; content:"redzoneairsoft.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217826/; classtype:trojan-activity;sid:81080926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/multilingual-press/inc/3.exe"; http_uri; depth:48; isdataat:!1,relative; content:"redzoneairsoft.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217827/; classtype:trojan-activity;sid:81080927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2068480/attachments/0204902900.zip"; http_uri; depth:35; isdataat:!1,relative; content:"img.mailinblue.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217825/; classtype:trojan-activity;sid:81080925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/news_parser.php"; http_uri; depth:22; isdataat:!1,relative; content:"eastsidedailynews.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217824/; classtype:trojan-activity;sid:81080924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/data.php"; http_uri; depth:9; isdataat:!1,relative; content:"elsalvadoropina.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217823/; classtype:trojan-activity;sid:81080923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/www/images/flash_downloader.php"; http_uri; depth:32; isdataat:!1,relative; content:"www.eloka.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217822/; classtype:trojan-activity;sid:81080922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/google7de4500bb1a397ab.php"; http_uri; depth:27; isdataat:!1,relative; content:"www.donpomodoro.com.co"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217821/; classtype:trojan-activity;sid:81080921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/flash_downloads.php"; http_uri; depth:20; isdataat:!1,relative; content:"www.drchip.org"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217820/; classtype:trojan-activity;sid:81080920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/graph_downloader.php"; http_uri; depth:28; isdataat:!1,relative; content:"globalgraphicart.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217819/; classtype:trojan-activity;sid:81080919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/emerald.php"; http_uri; depth:19; isdataat:!1,relative; content:"emeraldlodge49.org"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217818/; classtype:trojan-activity;sid:81080918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/ecocalc.php"; http_uri; depth:19; isdataat:!1,relative; content:"ecopathinternational.org"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217817/; classtype:trojan-activity;sid:81080917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/image_publisher.php"; http_uri; depth:27; isdataat:!1,relative; content:"easysellrealty.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217816/; classtype:trojan-activity;sid:81080916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/fullscreentester.php"; http_uri; depth:28; isdataat:!1,relative; content:"e-webtobiz.org"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217815/; classtype:trojan-activity;sid:81080915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/greatt.exe"; http_uri; depth:17; isdataat:!1,relative; content:"www.espera-de.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217814/; classtype:trojan-activity;sid:81080914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/chatres/89/msg/20190627/b91559ac5f6d4d2f94f9fba20121170c.png"; http_uri; depth:61; isdataat:!1,relative; content:"img.sobot.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217813/; classtype:trojan-activity;sid:81080913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bu3.rar"; http_uri; depth:8; isdataat:!1,relative; content:"192.236.194.164"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217812/; classtype:trojan-activity;sid:81080912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp/new.exe"; http_uri; depth:11; isdataat:!1,relative; content:"elkagroupe.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217810/; classtype:trojan-activity;sid:81080910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tbin.exe"; http_uri; depth:9; isdataat:!1,relative; content:"52.57.240.181"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217809/; classtype:trojan-activity;sid:81080909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windrvx_new.exe"; http_uri; depth:16; isdataat:!1,relative; content:"185.246.116.185"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217808/; classtype:trojan-activity;sid:81080908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/client.rar"; http_uri; depth:11; isdataat:!1,relative; content:"185.49.68.139"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217807/; classtype:trojan-activity;sid:81080907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2.exe"; http_uri; depth:6; isdataat:!1,relative; content:"194.61.1.86"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217806/; classtype:trojan-activity;sid:81080906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/client.rar"; http_uri; depth:11; isdataat:!1,relative; content:"185.49.68.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217805/; classtype:trojan-activity;sid:81080905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/swklpfdv.exe"; http_uri; depth:13; isdataat:!1,relative; content:"212.38.166.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217804/; classtype:trojan-activity;sid:81080904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tin86.exe"; http_uri; depth:10; isdataat:!1,relative; content:"212.38.166.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217803/; classtype:trojan-activity;sid:81080903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tin.exe"; http_uri; depth:8; isdataat:!1,relative; content:"212.38.166.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217802/; classtype:trojan-activity;sid:81080902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/llinx525.6"; http_uri; depth:11; isdataat:!1,relative; content:"xz.gexgz.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217801/; classtype:trojan-activity;sid:81080901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/win.png"; http_uri; depth:8; isdataat:!1,relative; content:"212.38.166.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217800/; classtype:trojan-activity;sid:81080900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sin.png"; http_uri; depth:8; isdataat:!1,relative; content:"212.38.166.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217799/; classtype:trojan-activity;sid:81080899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tin.png"; http_uri; depth:8; isdataat:!1,relative; content:"212.38.166.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217798/; classtype:trojan-activity;sid:81080898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wezwanie.pdf.exe"; http_uri; depth:17; isdataat:!1,relative; content:"23.108.57.157"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217797/; classtype:trojan-activity;sid:81080897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/e5db0e07c3d7be80v520/networkservice.exe"; http_uri; depth:40; isdataat:!1,relative; content:"185.181.10.234"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217796/; classtype:trojan-activity;sid:81080896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer10.gxl"; http_uri; depth:28; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217794/; classtype:trojan-activity;sid:81080894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer11.gxl"; http_uri; depth:28; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217795/; classtype:trojan-activity;sid:81080895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer7.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217791/; classtype:trojan-activity;sid:81080891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer8.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217792/; classtype:trojan-activity;sid:81080892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer9.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217793/; classtype:trojan-activity;sid:81080893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer2.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217786/; classtype:trojan-activity;sid:81080886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer3.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217787/; classtype:trojan-activity;sid:81080887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer4.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217788/; classtype:trojan-activity;sid:81080888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer5.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217789/; classtype:trojan-activity;sid:81080889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer6.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217790/; classtype:trojan-activity;sid:81080890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=styer1.gxl"; http_uri; depth:27; isdataat:!1,relative; content:"dx019xsl1pace.xyz"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217785/; classtype:trojan-activity;sid:81080885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/1rdwwxlfbrjugujq/anb1m4vx8aqzim29/yglluwt4x2o30ea.exe"; http_uri; depth:59; isdataat:!1,relative; content:"plik.root.gg"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217784/; classtype:trojan-activity;sid:81080884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/stb.exe"; http_uri; depth:8; isdataat:!1,relative; content:"chrome.theworkpc.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217783/; classtype:trojan-activity;sid:81080883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/7mks8x/rke0w9y5b0zva9iyx0hev/8335op993ag8vtat99cuerrmhwfpb8zthi86y0d7uunfgdk4y75jc5n16o2alv4l/179890d1ef12c9b462b5d5ac82f7350811eea082.bat"; http_uri; depth:139; isdataat:!1,relative; content:"97762.prohoster.biz"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217782/; classtype:trojan-activity;sid:81080882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/e5db0e07c3d7be80v520/sysguard"; http_uri; depth:30; isdataat:!1,relative; content:"185.181.10.234"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217781/; classtype:trojan-activity;sid:81080881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/adb.arm7"; http_uri; depth:13; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217780/; classtype:trojan-activity;sid:81080880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217779/; classtype:trojan-activity;sid:81080879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.x86"; http_uri; depth:11; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217778/; classtype:trojan-activity;sid:81080878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/adb.x86"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217777/; classtype:trojan-activity;sid:81080877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217776/; classtype:trojan-activity;sid:81080876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217775/; classtype:trojan-activity;sid:81080875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.mips"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217774/; classtype:trojan-activity;sid:81080874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217773/; classtype:trojan-activity;sid:81080873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.arm7"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217772/; classtype:trojan-activity;sid:81080872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217771/; classtype:trojan-activity;sid:81080871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.arm5"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217770/; classtype:trojan-activity;sid:81080870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.arm"; http_uri; depth:11; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217769/; classtype:trojan-activity;sid:81080869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/panel.zip"; http_uri; depth:10; isdataat:!1,relative; content:"arabkrobo.duckdns.org"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217768/; classtype:trojan-activity;sid:81080868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fdkjdcibs2_19.exe"; http_uri; depth:18; isdataat:!1,relative; content:"avheaven.icu"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217767/; classtype:trojan-activity;sid:81080867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm"; http_uri; depth:14; isdataat:!1,relative; content:"67.207.93.49"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217766/; classtype:trojan-activity;sid:81080866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"67.207.93.49"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217765/; classtype:trojan-activity;sid:81080865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"67.207.93.49"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217764/; classtype:trojan-activity;sid:81080864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/im/vkino2.mid"; http_uri; depth:14; isdataat:!1,relative; content:"95.215.207.24"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217763/; classtype:trojan-activity;sid:81080863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jj/coms.exe"; http_uri; depth:12; isdataat:!1,relative; content:"bathandbedlinen.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217762/; classtype:trojan-activity;sid:81080862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/caro/caro.exe"; http_uri; depth:14; isdataat:!1,relative; content:"hrklub-nop.hr"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217761/; classtype:trojan-activity;sid:81080861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/20190628081548/baofengyingyin.exe"; http_uri; depth:41; isdataat:!1,relative; content:"dlres.iyims.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217760/; classtype:trojan-activity;sid:81080860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217759/; classtype:trojan-activity;sid:81080859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217758/; classtype:trojan-activity;sid:81080858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217757/; classtype:trojan-activity;sid:81080857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217756/; classtype:trojan-activity;sid:81080856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217755/; classtype:trojan-activity;sid:81080855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217754/; classtype:trojan-activity;sid:81080854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x32"; http_uri; depth:11; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217753/; classtype:trojan-activity;sid:81080853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217751/; classtype:trojan-activity;sid:81080851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217752/; classtype:trojan-activity;sid:81080852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217750/; classtype:trojan-activity;sid:81080850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tftp"; http_uri; depth:5; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217749/; classtype:trojan-activity;sid:81080849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217748/; classtype:trojan-activity;sid:81080848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217747/; classtype:trojan-activity;sid:81080847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217746/; classtype:trojan-activity;sid:81080846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217745/; classtype:trojan-activity;sid:81080845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217744/; classtype:trojan-activity;sid:81080844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217743/; classtype:trojan-activity;sid:81080843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"46.29.161.238"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217742/; classtype:trojan-activity;sid:81080842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217741/; classtype:trojan-activity;sid:81080841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217740/; classtype:trojan-activity;sid:81080840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.i586"; http_uri; depth:12; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217739/; classtype:trojan-activity;sid:81080839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217738/; classtype:trojan-activity;sid:81080838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217737/; classtype:trojan-activity;sid:81080837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mpsl"; http_uri; depth:12; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217736/; classtype:trojan-activity;sid:81080836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217735/; classtype:trojan-activity;sid:81080835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mips"; http_uri; depth:12; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217734/; classtype:trojan-activity;sid:81080834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217733/; classtype:trojan-activity;sid:81080833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217732/; classtype:trojan-activity;sid:81080832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217731/; classtype:trojan-activity;sid:81080831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x86"; http_uri; depth:11; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217730/; classtype:trojan-activity;sid:81080830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jforyvivf=2"; http_uri; depth:12; isdataat:!1,relative; content:"mybohuff.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217729/; classtype:trojan-activity;sid:81080829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"205.185.116.245"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217728/; classtype:trojan-activity;sid:81080828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"35.182.31.215"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217727/; classtype:trojan-activity;sid:81080827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"165.227.84.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217726/; classtype:trojan-activity;sid:81080826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-new/val1/vary.doc"; http_uri; depth:21; isdataat:!1,relative; content:"sukaponic.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217725/; classtype:trojan-activity;sid:81080825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217724/; classtype:trojan-activity;sid:81080824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217723/; classtype:trojan-activity;sid:81080823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.i686"; http_uri; depth:17; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217721/; classtype:trojan-activity;sid:81080821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217722/; classtype:trojan-activity;sid:81080822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217720/; classtype:trojan-activity;sid:81080820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217719/; classtype:trojan-activity;sid:81080819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"165.227.84.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217718/; classtype:trojan-activity;sid:81080818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217716/; classtype:trojan-activity;sid:81080816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv5l"; http_uri; depth:19; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217717/; classtype:trojan-activity;sid:81080817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217715/; classtype:trojan-activity;sid:81080815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217714/; classtype:trojan-activity;sid:81080814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217712/; classtype:trojan-activity;sid:81080812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217713/; classtype:trojan-activity;sid:81080813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"165.227.84.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217711/; classtype:trojan-activity;sid:81080811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv4l"; http_uri; depth:19; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217710/; classtype:trojan-activity;sid:81080810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217709/; classtype:trojan-activity;sid:81080809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217708/; classtype:trojan-activity;sid:81080808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217706/; classtype:trojan-activity;sid:81080806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217707/; classtype:trojan-activity;sid:81080807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217705/; classtype:trojan-activity;sid:81080805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217704/; classtype:trojan-activity;sid:81080804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217703/; classtype:trojan-activity;sid:81080803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217701/; classtype:trojan-activity;sid:81080801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217702/; classtype:trojan-activity;sid:81080802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/[cpu]"; http_uri; depth:6; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217700/; classtype:trojan-activity;sid:81080800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217699/; classtype:trojan-activity;sid:81080799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217698/; classtype:trojan-activity;sid:81080798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217696/; classtype:trojan-activity;sid:81080796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217697/; classtype:trojan-activity;sid:81080797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217695/; classtype:trojan-activity;sid:81080795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217694/; classtype:trojan-activity;sid:81080794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217693/; classtype:trojan-activity;sid:81080793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217692/; classtype:trojan-activity;sid:81080792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217691/; classtype:trojan-activity;sid:81080791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.x86"; http_uri; depth:16; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217690/; classtype:trojan-activity;sid:81080790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217689/; classtype:trojan-activity;sid:81080789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217688/; classtype:trojan-activity;sid:81080788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217687/; classtype:trojan-activity;sid:81080787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217686/; classtype:trojan-activity;sid:81080786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217684/; classtype:trojan-activity;sid:81080784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217685/; classtype:trojan-activity;sid:81080785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217682/; classtype:trojan-activity;sid:81080782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv6l"; http_uri; depth:19; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217683/; classtype:trojan-activity;sid:81080783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217681/; classtype:trojan-activity;sid:81080781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217680/; classtype:trojan-activity;sid:81080780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217679/; classtype:trojan-activity;sid:81080779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217677/; classtype:trojan-activity;sid:81080777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.i586"; http_uri; depth:17; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217678/; classtype:trojan-activity;sid:81080778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217676/; classtype:trojan-activity;sid:81080776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.powerpc"; http_uri; depth:20; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217675/; classtype:trojan-activity;sid:81080775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv7l"; http_uri; depth:19; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217673/; classtype:trojan-activity;sid:81080773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.mipsel"; http_uri; depth:19; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217674/; classtype:trojan-activity;sid:81080774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217671/; classtype:trojan-activity;sid:81080771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217672/; classtype:trojan-activity;sid:81080772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"165.22.101.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217670/; classtype:trojan-activity;sid:81080770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.sparc"; http_uri; depth:18; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217669/; classtype:trojan-activity;sid:81080769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.x86"; http_uri; depth:14; isdataat:!1,relative; content:"67.207.93.49"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217668/; classtype:trojan-activity;sid:81080768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217667/; classtype:trojan-activity;sid:81080767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217666/; classtype:trojan-activity;sid:81080766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.mips"; http_uri; depth:17; isdataat:!1,relative; content:"167.71.5.88"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217665/; classtype:trojan-activity;sid:81080765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tftp"; http_uri; depth:5; isdataat:!1,relative; content:"104.248.33.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217664/; classtype:trojan-activity;sid:81080764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ngr/ik/tbnbv.exe"; http_uri; depth:17; isdataat:!1,relative; content:"tfvn.com.vn"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217663/; classtype:trojan-activity;sid:81080763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.47.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217662/; classtype:trojan-activity;sid:81080762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"142.93.237.171"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217661/; classtype:trojan-activity;sid:81080761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/stefile.exe"; http_uri; depth:12; isdataat:!1,relative; content:"52.57.240.181"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217660/; classtype:trojan-activity;sid:81080760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rc.exe"; http_uri; depth:7; isdataat:!1,relative; content:"134.175.91.178"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217659/; classtype:trojan-activity;sid:81080759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/5.exe"; http_uri; depth:6; isdataat:!1,relative; content:"134.175.91.178"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217658/; classtype:trojan-activity;sid:81080758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ssl/j.exe"; http_uri; depth:10; isdataat:!1,relative; content:"danmaxexpress.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217657/; classtype:trojan-activity;sid:81080757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3.exe"; http_uri; depth:6; isdataat:!1,relative; content:"134.175.91.178"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217656/; classtype:trojan-activity;sid:81080756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/upload/20190703105216/%e6%9a%b4%e9%a3%8e%e5%bd%b1%e9%9f%b3.exe"; http_uri; depth:63; isdataat:!1,relative; content:"dlres.iyims.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217655/; classtype:trojan-activity;sid:81080755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hdgjscz/p2playerv1.0.exe"; http_uri; depth:25; isdataat:!1,relative; content:"www.xzlinfo.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217654/; classtype:trojan-activity;sid:81080754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ozsmd/p2playerv1.0.exe"; http_uri; depth:23; isdataat:!1,relative; content:"xzlinfo.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217653/; classtype:trojan-activity;sid:81080753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmzdsjk/ppplayerv3.0.exe"; http_uri; depth:25; isdataat:!1,relative; content:"www.xzlinfo.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217652/; classtype:trojan-activity;sid:81080752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/img/cic.exe"; http_uri; depth:12; isdataat:!1,relative; content:"sbb21570.mycpanel.rs"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217650/; classtype:trojan-activity;sid:81080750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mrp/mrp.exe"; http_uri; depth:12; isdataat:!1,relative; content:"hrklub-nop.hr"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217649/; classtype:trojan-activity;sid:81080749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217648/; classtype:trojan-activity;sid:81080748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217647/; classtype:trojan-activity;sid:81080747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.x86"; http_uri; depth:10; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217646/; classtype:trojan-activity;sid:81080746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.i686"; http_uri; depth:11; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217645/; classtype:trojan-activity;sid:81080745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217644/; classtype:trojan-activity;sid:81080744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217643/; classtype:trojan-activity;sid:81080743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.mips"; http_uri; depth:11; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217642/; classtype:trojan-activity;sid:81080742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217640/; classtype:trojan-activity;sid:81080740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.i586"; http_uri; depth:11; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217639/; classtype:trojan-activity;sid:81080739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217638/; classtype:trojan-activity;sid:81080738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217637/; classtype:trojan-activity;sid:81080737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"139.59.44.60"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217636/; classtype:trojan-activity;sid:81080736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ru53332/ag4wil2tuwaatbecaejsfwasaek1f2ya/download.exe"; http_uri; depth:54; isdataat:!1,relative; content:"gameonly.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217635/; classtype:trojan-activity;sid:81080735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ru53332/age-kv2tuwaatbecaerffwaoapkf-osa/download.exe"; http_uri; depth:54; isdataat:!1,relative; content:"gameonly.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217633/; classtype:trojan-activity;sid:81080733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmzdsjk"; http_uri; depth:8; isdataat:!1,relative; content:"www.xzlinfo.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217632/; classtype:trojan-activity;sid:81080732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tmzdsjk"; http_uri; depth:8; isdataat:!1,relative; content:"xzlinfo.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217631/; classtype:trojan-activity;sid:81080731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ru53332/ajtnkl2tuwaatbecaerffwamaisurnia"; http_uri; depth:41; isdataat:!1,relative; content:"gameonly.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217629/; classtype:trojan-activity;sid:81080729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hdgjscz"; http_uri; depth:8; isdataat:!1,relative; content:"www.xzlinfo.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217627/; classtype:trojan-activity;sid:81080727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ru53332/akvbkl2tuwaatbecaerfgqamaizemwua"; http_uri; depth:41; isdataat:!1,relative; content:"gameonly.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217625/; classtype:trojan-activity;sid:81080725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dd/dj.exe"; http_uri; depth:10; isdataat:!1,relative; content:"lectual.net"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217624/; classtype:trojan-activity;sid:81080724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ee/ee.exe"; http_uri; depth:10; isdataat:!1,relative; content:"lectual.net"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217623/; classtype:trojan-activity;sid:81080723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/postbackusa/2.exe"; http_uri; depth:18; isdataat:!1,relative; content:"3wereareyou.icu"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217621/; classtype:trojan-activity;sid:81080721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/postbackusa/1.exe"; http_uri; depth:18; isdataat:!1,relative; content:"3wereareyou.icu"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_18; reference:url, urlhaus.abuse.ch/url/217620/; classtype:trojan-activity;sid:81080720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jj/jj.exe"; http_uri; depth:10; isdataat:!1,relative; content:"lectual.net"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217619/; classtype:trojan-activity;sid:81080719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/js/firefox.bin"; http_uri; depth:24; isdataat:!1,relative; content:"stingersrestaurant.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217617/; classtype:trojan-activity;sid:81080717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m/put.exe"; http_uri; depth:10; isdataat:!1,relative; content:"kimotokisen.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217616/; classtype:trojan-activity;sid:81080716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/setupktpro_v1.1.8.exe"; http_uri; depth:22; isdataat:!1,relative; content:"download.ktkt.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217615/; classtype:trojan-activity;sid:81080715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/us/2.exe"; http_uri; depth:9; isdataat:!1,relative; content:"4wereareyou.icu"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217614/; classtype:trojan-activity;sid:81080714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/us/1.exe"; http_uri; depth:9; isdataat:!1,relative; content:"4wereareyou.icu"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217613/; classtype:trojan-activity;sid:81080713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/us/loader.exe"; http_uri; depth:14; isdataat:!1,relative; content:"4wereareyou.icu"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217611/; classtype:trojan-activity;sid:81080711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/beez_20/html/1c.jpg"; http_uri; depth:30; isdataat:!1,relative; content:"biomas.fr"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217609/; classtype:trojan-activity;sid:81080709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2018/06/201806065969_1243.doc"; http_uri; depth:30; isdataat:!1,relative; content:"data.kaoyany.top"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217608/; classtype:trojan-activity;sid:81080708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ssl/document002.zip"; http_uri; depth:20; isdataat:!1,relative; content:"danmaxexpress.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217607/; classtype:trojan-activity;sid:81080707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wk.exe"; http_uri; depth:7; isdataat:!1,relative; content:"59.47.69.221"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217606/; classtype:trojan-activity;sid:81080706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dd/4091302"; http_uri; depth:11; isdataat:!1,relative; content:"35.225.200.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217605/; classtype:trojan-activity;sid:81080705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/s443ls"; http_uri; depth:7; isdataat:!1,relative; content:"104.223.142.185"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217604/; classtype:trojan-activity;sid:81080704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bartn/blk.exe"; http_uri; depth:14; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217603/; classtype:trojan-activity;sid:81080703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sunshine/sunshine.exe"; http_uri; depth:22; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217602/; classtype:trojan-activity;sid:81080702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/peterz/peterz.exe"; http_uri; depth:18; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217601/; classtype:trojan-activity;sid:81080701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arinzo/arinzo.exe"; http_uri; depth:18; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217600/; classtype:trojan-activity;sid:81080700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hay/ose.exe"; http_uri; depth:12; isdataat:!1,relative; content:"onholyland.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217599/; classtype:trojan-activity;sid:81080699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bartn/jhn.exe"; http_uri; depth:14; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217598/; classtype:trojan-activity;sid:81080698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sant/bab.exe"; http_uri; depth:13; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217597/; classtype:trojan-activity;sid:81080697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sant/fran.exe"; http_uri; depth:14; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217596/; classtype:trojan-activity;sid:81080696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wadeng.png"; http_uri; depth:11; isdataat:!1,relative; content:"31.184.254.18"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217595/; classtype:trojan-activity;sid:81080695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/trablon.png"; http_uri; depth:12; isdataat:!1,relative; content:"31.184.254.18"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217594/; classtype:trojan-activity;sid:81080694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/samagden.png"; http_uri; depth:13; isdataat:!1,relative; content:"31.184.254.18"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217593/; classtype:trojan-activity;sid:81080693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xt.exe"; http_uri; depth:7; isdataat:!1,relative; content:"yenchin77.5gbfree.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217591/; classtype:trojan-activity;sid:81080691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/martincol/martincol.exe"; http_uri; depth:24; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217590/; classtype:trojan-activity;sid:81080690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nolp/nextt-online-public/set_identcodes/lang/de/00360471204/kvs_8342166_30.exe"; http_uri; depth:79; isdataat:!1,relative; content:"luxuryvailrentals.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217589/; classtype:trojan-activity;sid:81080689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/invoice.doc"; http_uri; depth:12; isdataat:!1,relative; content:"noqigxa.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217587/; classtype:trojan-activity;sid:81080687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ks.exe"; http_uri; depth:7; isdataat:!1,relative; content:"eaidalimatata.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217586/; classtype:trojan-activity;sid:81080686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kz1.exe"; http_uri; depth:8; isdataat:!1,relative; content:"eaidalimatata.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217585/; classtype:trojan-activity;sid:81080685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgi-bin1/document.doc"; http_uri; depth:22; isdataat:!1,relative; content:"eaidalimatata.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217584/; classtype:trojan-activity;sid:81080684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cgi-bin1/c.exe"; http_uri; depth:15; isdataat:!1,relative; content:"eaidalimatata.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217583/; classtype:trojan-activity;sid:81080683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/updateserver/update/downloadappid=sst|26|filemd=b081119968cc1565eefaae5174bf8640"; http_uri; depth:81; isdataat:!1,relative; content:"updatesst.aiee.fun"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217582/; classtype:trojan-activity;sid:81080682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/forum/files/winhost.exe"; http_uri; depth:24; isdataat:!1,relative; content:"5.2.77.232"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217581/; classtype:trojan-activity;sid:81080681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/k/put.exe"; http_uri; depth:10; isdataat:!1,relative; content:"kimotokisen.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217580/; classtype:trojan-activity;sid:81080680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/latest.exe"; http_uri; depth:11; isdataat:!1,relative; content:"shmajik.gq"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217579/; classtype:trojan-activity;sid:81080679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cutt.exe"; http_uri; depth:9; isdataat:!1,relative; content:"shmajik.gq"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217578/; classtype:trojan-activity;sid:81080678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brt.exe"; http_uri; depth:8; isdataat:!1,relative; content:"shmajik.gq"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217577/; classtype:trojan-activity;sid:81080677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jun/joj.exe"; http_uri; depth:12; isdataat:!1,relative; content:"onholyland.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217576/; classtype:trojan-activity;sid:81080676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fuzhu/wwsgv0.1.exe"; http_uri; depth:19; isdataat:!1,relative; content:"202.107.233.41"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217575/; classtype:trojan-activity;sid:81080675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerad.jpg"; http_uri; depth:12; isdataat:!1,relative; content:"shmajik.gq"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217574/; classtype:trojan-activity;sid:81080674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dj/dj.exe"; http_uri; depth:10; isdataat:!1,relative; content:"autosyan.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217573/; classtype:trojan-activity;sid:81080673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ssl/ssl.exe"; http_uri; depth:12; isdataat:!1,relative; content:"danmaxexpress.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217572/; classtype:trojan-activity;sid:81080672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/inv.jpg"; http_uri; depth:8; isdataat:!1,relative; content:"gullf-marine.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217571/; classtype:trojan-activity;sid:81080671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/forum/files/taskhost.exe"; http_uri; depth:25; isdataat:!1,relative; content:"5.2.77.232"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217570/; classtype:trojan-activity;sid:81080670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kk/jss.exe"; http_uri; depth:11; isdataat:!1,relative; content:"danmaxexpress.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217569/; classtype:trojan-activity;sid:81080669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kk/file.exe"; http_uri; depth:12; isdataat:!1,relative; content:"danmaxexpress.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217568/; classtype:trojan-activity;sid:81080668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kk/cjihe.exe"; http_uri; depth:13; isdataat:!1,relative; content:"danmaxexpress.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217567/; classtype:trojan-activity;sid:81080667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ssl/image001_20190716237.doc"; http_uri; depth:29; isdataat:!1,relative; content:"danmaxexpress.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217566/; classtype:trojan-activity;sid:81080666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ssl/u.exe"; http_uri; depth:10; isdataat:!1,relative; content:"danmaxexpress.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217565/; classtype:trojan-activity;sid:81080665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gs.php"; http_uri; depth:7; isdataat:!1,relative; content:"185.193.141.248"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217564/; classtype:trojan-activity;sid:81080664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/raw/cy2eemjn"; http_uri; depth:13; isdataat:!1,relative; content:"pastebin.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217563/; classtype:trojan-activity;sid:81080663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/partiya/malashop.exe"; http_uri; depth:21; isdataat:!1,relative; content:"informatioshopname.ru"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217562/; classtype:trojan-activity;sid:81080662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdf.exe"; http_uri; depth:8; isdataat:!1,relative; content:"www.mywp.asia"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217561/; classtype:trojan-activity;sid:81080661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ooqzqptkq1czynh0zo-6he9epgwovgso/view"; http_uri; depth:46; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217560/; classtype:trojan-activity;sid:81080660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ntv6au_ztgj9djrqwbnfqrqzdggtejhi/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217559/; classtype:trojan-activity;sid:81080659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/18_fhyeafif9osl6vsbjlcghxeuz8loat/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217557/; classtype:trojan-activity;sid:81080657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1tphlw2bevsomcls7ty-mprhm3pxcyr1e/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217558/; classtype:trojan-activity;sid:81080658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1vtc05fa7rzortd2bucifvdplls45escx/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217556/; classtype:trojan-activity;sid:81080656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1wg2v7f-o0ezw-mfzrb2fn29y1_qrp9ht/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217555/; classtype:trojan-activity;sid:81080655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1h3gznvzshp8d3cxebwrmrmk4sgfnep_i/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217554/; classtype:trojan-activity;sid:81080654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1jq6afawou7dpcnx6qocqjxi9izhbb_a8/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217553/; classtype:trojan-activity;sid:81080653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1mqdymbzl0tk8l0ra3dle5zan-mpm_cig/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217552/; classtype:trojan-activity;sid:81080652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1-ppxjphycblbk7-p5w98emvz1unv2dl7/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217551/; classtype:trojan-activity;sid:81080651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1km5pd-yx-wvwctyq6aouxpwfmferlocq/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217550/; classtype:trojan-activity;sid:81080650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1oremkeuoppzxplpnsgav0br-97f59beg/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217548/; classtype:trojan-activity;sid:81080648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1zikaqqyulpg9yf-wpmfwfbe0pigv4z7r/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217549/; classtype:trojan-activity;sid:81080649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1jvipomp2sq-huxptsq3lgs5bywftqrvr/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217547/; classtype:trojan-activity;sid:81080647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ny2v7pcp0kfp5yvnm7fdiyvtp1fraftb/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217546/; classtype:trojan-activity;sid:81080646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1qop6axfsshqhjanruyxxzfippqm1xag1/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217545/; classtype:trojan-activity;sid:81080645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1itokroffzm6i46c37vluogrjhl-wcovr/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217544/; classtype:trojan-activity;sid:81080644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1y_6ri0gsbjz1cbk9azjv2gbxhrjhyt7a/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217543/; classtype:trojan-activity;sid:81080643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1chaddyvludfq0vi64dkd19qokr_4vpkq/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217541/; classtype:trojan-activity;sid:81080641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1snun9_0suot7hkwemqhjjtrq8g9tvnmr/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217542/; classtype:trojan-activity;sid:81080642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1mif1pufybqpn8q2_brkyynp_dbenmzik/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217540/; classtype:trojan-activity;sid:81080640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1yh-jaldvvfo5ye_sdaaba3geyee7312c/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217539/; classtype:trojan-activity;sid:81080639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1bq0vwtqhzh0kqvrc-qudpkrfccyr7vbz/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217538/; classtype:trojan-activity;sid:81080638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/108k3pyxukgtatrhgc7vkpzlltzbie2sy/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217537/; classtype:trojan-activity;sid:81080637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1o95ldhkrurt-mnct_hi54hjk8z6xyz59/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217536/; classtype:trojan-activity;sid:81080636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1du3kabivge0tfmnwdmbq3qu6v2lhpl3m/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217535/; classtype:trojan-activity;sid:81080635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1fxzifvkdwxmlolaoblis5nlltkgtnzn6/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217534/; classtype:trojan-activity;sid:81080634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ttttttttt.exe"; http_uri; depth:14; isdataat:!1,relative; content:"cilico.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217533/; classtype:trojan-activity;sid:81080633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1mcxxwwecmbkabd2wqyfcijg200gculfc/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217532/; classtype:trojan-activity;sid:81080632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1lreff6lsqenm44vbfoy6v8qjna0kb6vz/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217531/; classtype:trojan-activity;sid:81080631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1xamueuh2cptn_ud1mgnmtmnusdg5fkq-/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217530/; classtype:trojan-activity;sid:81080630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1cmkvcyyd7559uk61hu6wrmnnfz0xbhm2/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217529/; classtype:trojan-activity;sid:81080629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1dl69yyh1z0xcb6hqbish8owvkucygzoo/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217527/; classtype:trojan-activity;sid:81080627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ydnio0qehtt4e3hiwhjjooliy9b21bck/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217528/; classtype:trojan-activity;sid:81080628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1pxx1fkzxwr5tfahaxu-howzdhokq0sdd/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217526/; classtype:trojan-activity;sid:81080626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ucmgruaek26nh_bxoeh4pdlrfphaeatw/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217525/; classtype:trojan-activity;sid:81080625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/14qmrdewdoccbcrv2k0intfnx4fdnjwj4/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217524/; classtype:trojan-activity;sid:81080624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1kvxibss6aovd-zpdi6tceirtgk_46i5-/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217522/; classtype:trojan-activity;sid:81080622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ul1xdtccivpvccmr6w4cthfllhbwsx2m/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217523/; classtype:trojan-activity;sid:81080623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1a4iwdzbxxjhnwbejcab85tm_zpx1okze/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217521/; classtype:trojan-activity;sid:81080621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1arvadm5b19yku_qe3fhmp_ahcyct6tla/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217520/; classtype:trojan-activity;sid:81080620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1nifxo8jn_oeqsr79x_ibmpirnckkls5b/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217519/; classtype:trojan-activity;sid:81080619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1dz5gsabyhmeam96i2qnlsqujhqjb8mku/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217518/; classtype:trojan-activity;sid:81080618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1mwhm7nzigtdusypzrbcap7j6vxb-a89n/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217517/; classtype:trojan-activity;sid:81080617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1fo0d5lvw1fsvgtm4ajjexxfxuvhlu7kd/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217516/; classtype:trojan-activity;sid:81080616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1u8vdhwnjklj-2ye4l3kc-ehr5bix0vr_/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217515/; classtype:trojan-activity;sid:81080615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/17ekgx2jywbe1wa0yowmng0hzztdm9pv9/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217514/; classtype:trojan-activity;sid:81080614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1fcwj4k3-um5wdbgpkoxr6fdy88ycc8cq/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217513/; classtype:trojan-activity;sid:81080613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1yw2kzsmkecfkn_thc8tuyxujbqesfm-f/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217512/; classtype:trojan-activity;sid:81080612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ejnygxlh4jrskecq8qxi-w8j-4jieln0/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217511/; classtype:trojan-activity;sid:81080611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1flyzmxsfnqtde5k0hlib43psnbiv_7ge/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217510/; classtype:trojan-activity;sid:81080610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1pacyvhlpvvbnx3o9ncgjztlb6raji7eh/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217509/; classtype:trojan-activity;sid:81080609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1zjm19uoycsf-zzvon4amtmgu0h0yo5og/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217508/; classtype:trojan-activity;sid:81080608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1v2qxcpx491dupmf2vj_wq8vyl-estbg_/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217507/; classtype:trojan-activity;sid:81080607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/13d5qi4auegdscuqh7gs4c4ccwazxhkxd/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217506/; classtype:trojan-activity;sid:81080606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/177y5k7pon9bdwepkzrox1vl2d1a2rx2e/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217505/; classtype:trojan-activity;sid:81080605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cvrpdyijf=2"; http_uri; depth:12; isdataat:!1,relative; content:"lloydsbankdocs.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217503/; classtype:trojan-activity;sid:81080603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1mw3uee-s4cmammmmiish1ukzvglsuwfq/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217504/; classtype:trojan-activity;sid:81080604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dd/10657878"; http_uri; depth:12; isdataat:!1,relative; content:"35.225.200.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217502/; classtype:trojan-activity;sid:81080602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp.jpg"; http_uri; depth:8; isdataat:!1,relative; content:"cilico.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217501/; classtype:trojan-activity;sid:81080601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/net.jpg"; http_uri; depth:8; isdataat:!1,relative; content:"cilico.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217500/; classtype:trojan-activity;sid:81080600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.ppc"; http_uri; depth:9; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217499/; classtype:trojan-activity;sid:81080599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/visgean/zeus/zip/translation"; http_uri; depth:29; isdataat:!1,relative; content:"codeload.github.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217498/; classtype:trojan-activity;sid:81080598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass11.gxl"; http_uri; depth:30; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217497/; classtype:trojan-activity;sid:81080597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass10.gxl"; http_uri; depth:30; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217496/; classtype:trojan-activity;sid:81080596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass4.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217490/; classtype:trojan-activity;sid:81080590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass5.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217491/; classtype:trojan-activity;sid:81080591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass6.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217492/; classtype:trojan-activity;sid:81080592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass7.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217493/; classtype:trojan-activity;sid:81080593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass8.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217494/; classtype:trojan-activity;sid:81080594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass9.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217495/; classtype:trojan-activity;sid:81080595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass1.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217487/; classtype:trojan-activity;sid:81080587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass2.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217488/; classtype:trojan-activity;sid:81080588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sywo/fgoow.phpl=dxclass3.gxl"; http_uri; depth:29; isdataat:!1,relative; content:"fcamylleibrahim.top"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217489/; classtype:trojan-activity;sid:81080589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/meteoradminz/hidden-tear/zip/master"; http_uri; depth:36; isdataat:!1,relative; content:"codeload.github.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217486/; classtype:trojan-activity;sid:81080586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/beefproject/beef/zip/beef-0.4.6.1"; http_uri; depth:34; isdataat:!1,relative; content:"codeload.github.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217485/; classtype:trojan-activity;sid:81080585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pld/output.exe"; http_uri; depth:15; isdataat:!1,relative; content:"45.67.14.181"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217484/; classtype:trojan-activity;sid:81080584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/s/d32w26npiw44vfk/purchase%20order2019-00129.zipdl=1"; http_uri; depth:53; isdataat:!1,relative; content:"www.dropbox.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217483/; classtype:trojan-activity;sid:81080583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/lapax1.2.3c/fonts/1c.jpg"; http_uri; depth:43; isdataat:!1,relative; content:"taskulitbanyuwangi.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217482/; classtype:trojan-activity;sid:81080582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/lapax1.2.3c/libs/fonts/1c.jpg"; http_uri; depth:48; isdataat:!1,relative; content:"pemudasumbersewumarketing.com"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217481/; classtype:trojan-activity;sid:81080581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217479/; classtype:trojan-activity;sid:81080579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217480/; classtype:trojan-activity;sid:81080580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217477/; classtype:trojan-activity;sid:81080577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217478/; classtype:trojan-activity;sid:81080578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217476/; classtype:trojan-activity;sid:81080576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217474/; classtype:trojan-activity;sid:81080574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217475/; classtype:trojan-activity;sid:81080575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217473/; classtype:trojan-activity;sid:81080573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217472/; classtype:trojan-activity;sid:81080572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217471/; classtype:trojan-activity;sid:81080571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217470/; classtype:trojan-activity;sid:81080570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217469/; classtype:trojan-activity;sid:81080569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"5.196.42.123"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217468/; classtype:trojan-activity;sid:81080568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3appverif.chm"; http_uri; depth:14; isdataat:!1,relative; content:"103.1.250.236"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217467/; classtype:trojan-activity;sid:81080567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cmd"; http_uri; depth:4; isdataat:!1,relative; content:"69.64.43.224"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217466/; classtype:trojan-activity;sid:81080566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/neoinvestimentos.msi"; http_uri; depth:21; isdataat:!1,relative; content:"69.64.43.224"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217465/; classtype:trojan-activity;sid:81080565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/c.vbs"; http_uri; depth:6; isdataat:!1,relative; content:"69.64.43.224"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217464/; classtype:trojan-activity;sid:81080564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tsi.ps1"; http_uri; depth:8; isdataat:!1,relative; content:"69.64.43.224"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217463/; classtype:trojan-activity;sid:81080563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/neo.exe"; http_uri; depth:8; isdataat:!1,relative; content:"69.64.43.224"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217462/; classtype:trojan-activity;sid:81080562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/notepad.exe"; http_uri; depth:12; isdataat:!1,relative; content:"69.64.43.224"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217461/; classtype:trojan-activity;sid:81080561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/calculadora.exe"; http_uri; depth:16; isdataat:!1,relative; content:"69.64.43.224"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217460/; classtype:trojan-activity;sid:81080560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dj/dj.exe"; http_uri; depth:10; isdataat:!1,relative; content:"garciaikoplesver.net"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217459/; classtype:trojan-activity;sid:81080559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"134.19.188.107"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217458/; classtype:trojan-activity;sid:81080558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"134.19.188.107"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217457/; classtype:trojan-activity;sid:81080557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"134.19.188.107"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217456/; classtype:trojan-activity;sid:81080556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"134.19.188.107"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217455/; classtype:trojan-activity;sid:81080555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"134.19.188.107"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217454/; classtype:trojan-activity;sid:81080554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.x86_64"; http_uri; depth:14; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217453/; classtype:trojan-activity;sid:81080553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.i586"; http_uri; depth:12; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217452/; classtype:trojan-activity;sid:81080552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217451/; classtype:trojan-activity;sid:81080551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.i686"; http_uri; depth:12; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217450/; classtype:trojan-activity;sid:81080550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217448/; classtype:trojan-activity;sid:81080548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.sparc"; http_uri; depth:13; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217449/; classtype:trojan-activity;sid:81080549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217446/; classtype:trojan-activity;sid:81080546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.arm7"; http_uri; depth:12; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217447/; classtype:trojan-activity;sid:81080547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217444/; classtype:trojan-activity;sid:81080544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.arm5"; http_uri; depth:12; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217445/; classtype:trojan-activity;sid:81080545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217443/; classtype:trojan-activity;sid:81080543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.mips"; http_uri; depth:12; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217441/; classtype:trojan-activity;sid:81080541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.mipsel"; http_uri; depth:14; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217442/; classtype:trojan-activity;sid:81080542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ugpounds/ugopound.exe"; http_uri; depth:22; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217440/; classtype:trojan-activity;sid:81080540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/frankjoe/frankjoe.exe"; http_uri; depth:22; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217439/; classtype:trojan-activity;sid:81080539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ezenunu/ezenunu.exe"; http_uri; depth:20; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217438/; classtype:trojan-activity;sid:81080538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sunshine/sunshine.exe"; http_uri; depth:22; isdataat:!1,relative; content:"jessecom.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217437/; classtype:trojan-activity;sid:81080537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jeffy2/ps2.exe"; http_uri; depth:15; isdataat:!1,relative; content:"jessecom.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217436/; classtype:trojan-activity;sid:81080536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/kelvine/kelvine.exe"; http_uri; depth:20; isdataat:!1,relative; content:"jessecom.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217435/; classtype:trojan-activity;sid:81080535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.spc"; http_uri; depth:21; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217433/; classtype:trojan-activity;sid:81080533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217434/; classtype:trojan-activity;sid:81080534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mpsl"; http_uri; depth:22; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217431/; classtype:trojan-activity;sid:81080531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217432/; classtype:trojan-activity;sid:81080532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217430/; classtype:trojan-activity;sid:81080530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217428/; classtype:trojan-activity;sid:81080528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.m68k"; http_uri; depth:22; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217429/; classtype:trojan-activity;sid:81080529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217426/; classtype:trojan-activity;sid:81080526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217427/; classtype:trojan-activity;sid:81080527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm"; http_uri; depth:21; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217425/; classtype:trojan-activity;sid:81080525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217424/; classtype:trojan-activity;sid:81080524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zzz/sh4.idopoc"; http_uri; depth:15; isdataat:!1,relative; content:"35.236.94.93"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217423/; classtype:trojan-activity;sid:81080523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gm68k"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217422/; classtype:trojan-activity;sid:81080522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gmpsl"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217421/; classtype:trojan-activity;sid:81080521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gsh4"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217420/; classtype:trojan-activity;sid:81080520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gmips"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217419/; classtype:trojan-activity;sid:81080519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gi686"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217418/; classtype:trojan-activity;sid:81080518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gi586"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217417/; classtype:trojan-activity;sid:81080517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/garm7"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217416/; classtype:trojan-activity;sid:81080516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/garm6"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217415/; classtype:trojan-activity;sid:81080515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/garm5"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217414/; classtype:trojan-activity;sid:81080514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/garm"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217413/; classtype:trojan-activity;sid:81080513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gx86"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.76.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217412/; classtype:trojan-activity;sid:81080512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/owari.mips"; http_uri; depth:16; isdataat:!1,relative; content:"165.227.95.53"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217411/; classtype:trojan-activity;sid:81080511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/owari.ppc"; http_uri; depth:15; isdataat:!1,relative; content:"165.227.95.53"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217410/; classtype:trojan-activity;sid:81080510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/owari.spc"; http_uri; depth:15; isdataat:!1,relative; content:"165.227.95.53"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217409/; classtype:trojan-activity;sid:81080509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/owari.sh4"; http_uri; depth:15; isdataat:!1,relative; content:"165.227.95.53"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217408/; classtype:trojan-activity;sid:81080508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/owari.arm"; http_uri; depth:15; isdataat:!1,relative; content:"165.227.95.53"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217406/; classtype:trojan-activity;sid:81080506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/owari.x86"; http_uri; depth:15; isdataat:!1,relative; content:"165.227.95.53"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217407/; classtype:trojan-activity;sid:81080507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/owari.arm6"; http_uri; depth:16; isdataat:!1,relative; content:"165.227.95.53"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217405/; classtype:trojan-activity;sid:81080505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/owari.arm7"; http_uri; depth:16; isdataat:!1,relative; content:"165.227.95.53"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217404/; classtype:trojan-activity;sid:81080504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/seraph.sh"; http_uri; depth:10; isdataat:!1,relative; content:"212.237.13.216"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217403/; classtype:trojan-activity;sid:81080503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bobbye/bobbye.exe"; http_uri; depth:18; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217402/; classtype:trojan-activity;sid:81080502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rector/rector.exe"; http_uri; depth:18; isdataat:!1,relative; content:"mrjbiz.top"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217401/; classtype:trojan-activity;sid:81080501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jige/jige.exe"; http_uri; depth:14; isdataat:!1,relative; content:"jessecom.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217399/; classtype:trojan-activity;sid:81080499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ttfo.exe"; http_uri; depth:9; isdataat:!1,relative; content:"zmfcgxwchmkfvqrwnnmgbvrsqjtcfwxr.soho.limo"; http_host; depth:42; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217397/; classtype:trojan-activity;sid:81080497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dotty/dotty.exe"; http_uri; depth:16; isdataat:!1,relative; content:"jessecom.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217395/; classtype:trojan-activity;sid:81080495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.x86"; http_uri; depth:9; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217394/; classtype:trojan-activity;sid:81080494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mataorder.exe"; http_uri; depth:14; isdataat:!1,relative; content:"zmfcgxwchmkfvqrwnnmgbvrsqjtcfwxr.soho.limo"; http_host; depth:42; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217392/; classtype:trojan-activity;sid:81080492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/includes/firefox.bin"; http_uri; depth:30; isdataat:!1,relative; content:"iccf-bg.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217391/; classtype:trojan-activity;sid:81080491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/upd365_58v01.exe"; http_uri; depth:23; isdataat:!1,relative; content:"get-office365.live"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217390/; classtype:trojan-activity;sid:81080490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rih/rch.exe"; http_uri; depth:12; isdataat:!1,relative; content:"onholyland.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217389/; classtype:trojan-activity;sid:81080489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ringsbelly/fues/kb/louis.exe"; http_uri; depth:29; isdataat:!1,relative; content:"103.70.137.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217388/; classtype:trojan-activity;sid:81080488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qwerty22.exe"; http_uri; depth:13; isdataat:!1,relative; content:"23.249.164.162"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217387/; classtype:trojan-activity;sid:81080487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/flash_mobile.php"; http_uri; depth:17; isdataat:!1,relative; content:"discoprodije.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217386/; classtype:trojan-activity;sid:81080486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mysqlconnect.php"; http_uri; depth:17; isdataat:!1,relative; content:"callme4.in"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217385/; classtype:trojan-activity;sid:81080485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/following/latest.pptx"; http_uri; depth:22; isdataat:!1,relative; content:"hunterchesley.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217384/; classtype:trojan-activity;sid:81080484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/:u:/g/personal/jbbourgeois_lasauvegardedunord_fr/edubjv7fmafkhmyo3fxbx58bcpworvhoxtkzxf9vt_za1qdownload=1"; http_uri; depth:106; isdataat:!1,relative; content:"lasauvegardedunord-my.sharepoint.com"; http_host; depth:36; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217383/; classtype:trojan-activity;sid:81080483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jeff1/xx.exe"; http_uri; depth:13; isdataat:!1,relative; content:"jessecom.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217382/; classtype:trojan-activity;sid:81080482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/products/highlight.pptx"; http_uri; depth:24; isdataat:!1,relative; content:"successtosignificancecoaching.com"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217381/; classtype:trojan-activity;sid:81080481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/:u:/g/personal/glenda_hall_otagohospice_co_nz/eqemcjs1jmtmpjrv1lopbycbaw3fj51zatoqkxnzskrvqgdownload=1"; http_uri; depth:103; isdataat:!1,relative; content:"otagohospice-my.sharepoint.com"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217380/; classtype:trojan-activity;sid:81080480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/userfiles/13/classes/2473/8thpssyllabus.doc"; http_uri; depth:44; isdataat:!1,relative; content:"www.polk.k12.ga.us"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217379/; classtype:trojan-activity;sid:81080479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.m68k"; http_uri; depth:10; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217378/; classtype:trojan-activity;sid:81080478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nhc.exe"; http_uri; depth:8; isdataat:!1,relative; content:"hlgfco.xyz"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217377/; classtype:trojan-activity;sid:81080477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ono1_bfgdx.exe"; http_uri; depth:15; isdataat:!1,relative; content:"charest-orthophonie.ca"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217376/; classtype:trojan-activity;sid:81080476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217375/; classtype:trojan-activity;sid:81080475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217374/; classtype:trojan-activity;sid:81080474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.spc"; http_uri; depth:16; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217373/; classtype:trojan-activity;sid:81080473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217370/; classtype:trojan-activity;sid:81080470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217371/; classtype:trojan-activity;sid:81080471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mips"; http_uri; depth:17; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217372/; classtype:trojan-activity;sid:81080472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm"; http_uri; depth:16; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217367/; classtype:trojan-activity;sid:81080467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217368/; classtype:trojan-activity;sid:81080468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217369/; classtype:trojan-activity;sid:81080469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"104.248.94.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217366/; classtype:trojan-activity;sid:81080466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.arm7"; http_uri; depth:10; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217364/; classtype:trojan-activity;sid:81080464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.mpsl"; http_uri; depth:10; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217365/; classtype:trojan-activity;sid:81080465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.arm"; http_uri; depth:9; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217361/; classtype:trojan-activity;sid:81080461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.arm5"; http_uri; depth:10; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217362/; classtype:trojan-activity;sid:81080462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.arm6"; http_uri; depth:10; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217363/; classtype:trojan-activity;sid:81080463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.mips"; http_uri; depth:10; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217360/; classtype:trojan-activity;sid:81080460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217359/; classtype:trojan-activity;sid:81080459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217358/; classtype:trojan-activity;sid:81080458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217355/; classtype:trojan-activity;sid:81080455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mips"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217356/; classtype:trojan-activity;sid:81080456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217357/; classtype:trojan-activity;sid:81080457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217352/; classtype:trojan-activity;sid:81080452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217353/; classtype:trojan-activity;sid:81080453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217354/; classtype:trojan-activity;sid:81080454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm"; http_uri; depth:16; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217351/; classtype:trojan-activity;sid:81080451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.spc"; http_uri; depth:16; isdataat:!1,relative; content:"165.22.18.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217350/; classtype:trojan-activity;sid:81080450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bartn/vbc.exe"; http_uri; depth:14; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217349/; classtype:trojan-activity;sid:81080449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bartn/major.exe"; http_uri; depth:16; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217347/; classtype:trojan-activity;sid:81080447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/erator.php"; http_uri; depth:11; isdataat:!1,relative; content:"domeara.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217346/; classtype:trojan-activity;sid:81080446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dna_excel.php"; http_uri; depth:14; isdataat:!1,relative; content:"dnaofexcellence.org"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217345/; classtype:trojan-activity;sid:81080445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cooper_promo.php"; http_uri; depth:17; isdataat:!1,relative; content:"dmcooper.net"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217344/; classtype:trojan-activity;sid:81080444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/backup291018_9ade43bb.php"; http_uri; depth:26; isdataat:!1,relative; content:"cadvintech.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217343/; classtype:trojan-activity;sid:81080443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mailsender.php"; http_uri; depth:15; isdataat:!1,relative; content:"cadeepak.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217342/; classtype:trojan-activity;sid:81080442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/77/8741161"; http_uri; depth:11; isdataat:!1,relative; content:"5.56.133.137"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217341/; classtype:trojan-activity;sid:81080441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/backup_test.php"; http_uri; depth:16; isdataat:!1,relative; content:"carbcoaches.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217340/; classtype:trojan-activity;sid:81080440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyfifteen/darl.exe"; http_uri; depth:41; isdataat:!1,relative; content:"mansadevi.org.in"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217339/; classtype:trojan-activity;sid:81080439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/page/upload/team/ka.exe"; http_uri; depth:30; isdataat:!1,relative; content:"humapower.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217338/; classtype:trojan-activity;sid:81080438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hoho.sh4"; http_uri; depth:9; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217336/; classtype:trojan-activity;sid:81080436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/backup_downloader.php"; http_uri; depth:22; isdataat:!1,relative; content:"dagindia.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217335/; classtype:trojan-activity;sid:81080435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2098380/attachments/quo00289.zip"; http_uri; depth:33; isdataat:!1,relative; content:"img.mailinblue.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217334/; classtype:trojan-activity;sid:81080434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wordpress/verif.myacc.resourses.net/"; http_uri; depth:37; isdataat:!1,relative; content:"104.199.129.177"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217333/; classtype:trojan-activity;sid:81080433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/flash_optimizer.php"; http_uri; depth:20; isdataat:!1,relative; content:"digitalzapping.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217332/; classtype:trojan-activity;sid:81080432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2098380/attachments/048940030.zip"; http_uri; depth:34; isdataat:!1,relative; content:"img.mailinblue.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217331/; classtype:trojan-activity;sid:81080431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ceo/all.exe"; http_uri; depth:12; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217330/; classtype:trojan-activity;sid:81080430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ceo/jack.exe"; http_uri; depth:13; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217329/; classtype:trojan-activity;sid:81080429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ceo/blk.exe"; http_uri; depth:12; isdataat:!1,relative; content:"zerodayv3startedexploitpcwithexcelgreat.duckdns.org"; http_host; depth:51; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217327/; classtype:trojan-activity;sid:81080427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/light/dj.exe"; http_uri; depth:13; isdataat:!1,relative; content:"bosniakov.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217326/; classtype:trojan-activity;sid:81080426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217325/; classtype:trojan-activity;sid:81080425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217324/; classtype:trojan-activity;sid:81080424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xt.exe"; http_uri; depth:7; isdataat:!1,relative; content:"audreywilson261.5gbfree.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217323/; classtype:trojan-activity;sid:81080423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/[cpu]"; http_uri; depth:6; isdataat:!1,relative; content:"54.39.167.102"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217322/; classtype:trojan-activity;sid:81080422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.spc"; http_uri; depth:16; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217321/; classtype:trojan-activity;sid:81080421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217320/; classtype:trojan-activity;sid:81080420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217319/; classtype:trojan-activity;sid:81080419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mips"; http_uri; depth:17; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217318/; classtype:trojan-activity;sid:81080418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217317/; classtype:trojan-activity;sid:81080417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217316/; classtype:trojan-activity;sid:81080416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217315/; classtype:trojan-activity;sid:81080415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm"; http_uri; depth:16; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217314/; classtype:trojan-activity;sid:81080414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.x86"; http_uri; depth:16; isdataat:!1,relative; content:"222.119.56.98"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217313/; classtype:trojan-activity;sid:81080413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217311/; classtype:trojan-activity;sid:81080411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217312/; classtype:trojan-activity;sid:81080412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217309/; classtype:trojan-activity;sid:81080409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.spc"; http_uri; depth:16; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217310/; classtype:trojan-activity;sid:81080410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217306/; classtype:trojan-activity;sid:81080406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217307/; classtype:trojan-activity;sid:81080407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mips"; http_uri; depth:17; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217308/; classtype:trojan-activity;sid:81080408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm"; http_uri; depth:16; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217303/; classtype:trojan-activity;sid:81080403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217304/; classtype:trojan-activity;sid:81080404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217305/; classtype:trojan-activity;sid:81080405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.mips"; http_uri; depth:16; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217301/; classtype:trojan-activity;sid:81080401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.mpsl"; http_uri; depth:16; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217302/; classtype:trojan-activity;sid:81080402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.arm7"; http_uri; depth:16; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217299/; classtype:trojan-activity;sid:81080399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.i686"; http_uri; depth:16; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217300/; classtype:trojan-activity;sid:81080400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.arm5"; http_uri; depth:16; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217297/; classtype:trojan-activity;sid:81080397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.arm6"; http_uri; depth:16; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217298/; classtype:trojan-activity;sid:81080398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.x86"; http_uri; depth:16; isdataat:!1,relative; content:"178.128.204.33"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217295/; classtype:trojan-activity;sid:81080395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vb/amakano.arm"; http_uri; depth:15; isdataat:!1,relative; content:"192.236.162.197"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217296/; classtype:trojan-activity;sid:81080396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.spc"; http_uri; depth:29; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217294/; classtype:trojan-activity;sid:81080394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linux4.7"; http_uri; depth:9; isdataat:!1,relative; content:"103.255.177.206"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217293/; classtype:trojan-activity;sid:81080393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linux2.6"; http_uri; depth:9; isdataat:!1,relative; content:"103.255.177.206"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217292/; classtype:trojan-activity;sid:81080392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm6linuxtf"; http_uri; depth:12; isdataat:!1,relative; content:"103.255.177.206"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217291/; classtype:trojan-activity;sid:81080391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm4linuxtf"; http_uri; depth:12; isdataat:!1,relative; content:"103.255.177.206"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217290/; classtype:trojan-activity;sid:81080390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxtf"; http_uri; depth:8; isdataat:!1,relative; content:"103.255.177.206"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217289/; classtype:trojan-activity;sid:81080389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.sh4"; http_uri; depth:18; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217288/; classtype:trojan-activity;sid:81080388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.ppc"; http_uri; depth:18; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217287/; classtype:trojan-activity;sid:81080387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.spc"; http_uri; depth:18; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217286/; classtype:trojan-activity;sid:81080386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.mips"; http_uri; depth:19; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217284/; classtype:trojan-activity;sid:81080384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.mpsl"; http_uri; depth:19; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217285/; classtype:trojan-activity;sid:81080385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm7"; http_uri; depth:19; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217283/; classtype:trojan-activity;sid:81080383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm5"; http_uri; depth:19; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217281/; classtype:trojan-activity;sid:81080381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm6"; http_uri; depth:19; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217282/; classtype:trojan-activity;sid:81080382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm"; http_uri; depth:18; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217280/; classtype:trojan-activity;sid:81080380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.x86"; http_uri; depth:18; isdataat:!1,relative; content:"46.29.163.240"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217279/; classtype:trojan-activity;sid:81080379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217277/; classtype:trojan-activity;sid:81080377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217278/; classtype:trojan-activity;sid:81080378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.spc"; http_uri; depth:21; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217276/; classtype:trojan-activity;sid:81080376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mpsl"; http_uri; depth:22; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217275/; classtype:trojan-activity;sid:81080375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217274/; classtype:trojan-activity;sid:81080374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217273/; classtype:trojan-activity;sid:81080373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217272/; classtype:trojan-activity;sid:81080372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217271/; classtype:trojan-activity;sid:81080371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm"; http_uri; depth:21; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217270/; classtype:trojan-activity;sid:81080370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"198.211.113.21"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217269/; classtype:trojan-activity;sid:81080369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.ppc"; http_uri; depth:29; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217267/; classtype:trojan-activity;sid:81080367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.sh4"; http_uri; depth:29; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217268/; classtype:trojan-activity;sid:81080368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.m68k"; http_uri; depth:30; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217264/; classtype:trojan-activity;sid:81080364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.mips"; http_uri; depth:30; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217265/; classtype:trojan-activity;sid:81080365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.mpsl"; http_uri; depth:30; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217266/; classtype:trojan-activity;sid:81080366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.arm5"; http_uri; depth:30; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217261/; classtype:trojan-activity;sid:81080361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.arm6"; http_uri; depth:30; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217262/; classtype:trojan-activity;sid:81080362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.arm7"; http_uri; depth:30; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217263/; classtype:trojan-activity;sid:81080363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.arm"; http_uri; depth:29; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217260/; classtype:trojan-activity;sid:81080360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.x86"; http_uri; depth:29; isdataat:!1,relative; content:"212.83.183.79"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217259/; classtype:trojan-activity;sid:81080359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arinzo/arinzo.exe"; http_uri; depth:18; isdataat:!1,relative; content:"jessecom.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217258/; classtype:trojan-activity;sid:81080358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/language/ns1.exe"; http_uri; depth:17; isdataat:!1,relative; content:"ivglavsnab.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217256/; classtype:trojan-activity;sid:81080356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm5"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217254/; classtype:trojan-activity;sid:81080354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.i586"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217253/; classtype:trojan-activity;sid:81080353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217252/; classtype:trojan-activity;sid:81080352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217251/; classtype:trojan-activity;sid:81080351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217250/; classtype:trojan-activity;sid:81080350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm7"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217249/; classtype:trojan-activity;sid:81080349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.sparc"; http_uri; depth:13; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217248/; classtype:trojan-activity;sid:81080348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217247/; classtype:trojan-activity;sid:81080347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.i686"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217246/; classtype:trojan-activity;sid:81080346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.mpsl"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217245/; classtype:trojan-activity;sid:81080345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.x86"; http_uri; depth:11; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217243/; classtype:trojan-activity;sid:81080343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.mips"; http_uri; depth:12; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217242/; classtype:trojan-activity;sid:81080342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bobbye/bobbye.exe"; http_uri; depth:18; isdataat:!1,relative; content:"jessecom.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217241/; classtype:trojan-activity;sid:81080341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/page/upload/team/se.exe"; http_uri; depth:30; isdataat:!1,relative; content:"humapower.org"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217240/; classtype:trojan-activity;sid:81080340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/includes/bbrs.exe"; http_uri; depth:18; isdataat:!1,relative; content:"ivglavsnab.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217239/; classtype:trojan-activity;sid:81080339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/language/server.exe"; http_uri; depth:20; isdataat:!1,relative; content:"ivglavsnab.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217237/; classtype:trojan-activity;sid:81080337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/template/v4.exe"; http_uri; depth:16; isdataat:!1,relative; content:"ivglavsnab.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217238/; classtype:trojan-activity;sid:81080338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/language/exploit/14v7.exe"; http_uri; depth:26; isdataat:!1,relative; content:"ivglavsnab.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217236/; classtype:trojan-activity;sid:81080336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/language/1.exe"; http_uri; depth:15; isdataat:!1,relative; content:"ivglavsnab.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217234/; classtype:trojan-activity;sid:81080334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/language/zipserve.exe"; http_uri; depth:22; isdataat:!1,relative; content:"ivglavsnab.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217233/; classtype:trojan-activity;sid:81080333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxczv/06/halawxtzdx.gif.zip.log"; http_uri; depth:35; isdataat:!1,relative; content:"storage.googleapis.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217232/; classtype:trojan-activity;sid:81080332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxczv/06/halawxtzdwwn.gif.zip.log"; http_uri; depth:37; isdataat:!1,relative; content:"storage.googleapis.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217231/; classtype:trojan-activity;sid:81080331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxczv/06/halawxtzc.jpg.zip.log"; http_uri; depth:34; isdataat:!1,relative; content:"storage.googleapis.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217230/; classtype:trojan-activity;sid:81080330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxczv/06/halawxtza.jpg.zip.log"; http_uri; depth:34; isdataat:!1,relative; content:"storage.googleapis.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217228/; classtype:trojan-activity;sid:81080328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxczv/06/halawxtzb.jpg.zip.log"; http_uri; depth:34; isdataat:!1,relative; content:"storage.googleapis.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217229/; classtype:trojan-activity;sid:81080329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gcmaia/sharing/master/.idea/libraries/x/06/v.xsl"; http_uri; depth:49; isdataat:!1,relative; content:"raw.githubusercontent.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217226/; classtype:trojan-activity;sid:81080326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gcmaia/sharing/master/.idea/libraries/x/06/vv.xsl"; http_uri; depth:50; isdataat:!1,relative; content:"raw.githubusercontent.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217227/; classtype:trojan-activity;sid:81080327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gcmaia/sharing/master/.idea/libraries/x/06/v.xsl"; http_uri; depth:49; isdataat:!1,relative; content:"raw.githubusercontent.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217225/; classtype:trojan-activity;sid:81080325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nm/019n.exe"; http_uri; depth:12; isdataat:!1,relative; content:"hvlfitnesschallenge.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217224/; classtype:trojan-activity;sid:81080324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/tds%20challan.zip"; http_uri; depth:36; isdataat:!1,relative; content:"www.maisonmanor.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217223/; classtype:trojan-activity;sid:81080323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentysixteen/js/tax%20payment%20challan.zip"; http_uri; depth:63; isdataat:!1,relative; content:"www.rvfitness.in"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217222/; classtype:trojan-activity;sid:81080322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/image/tax%20payment.zip"; http_uri; depth:24; isdataat:!1,relative; content:"eternalengineers.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217220/; classtype:trojan-activity;sid:81080320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rci/rch.exe"; http_uri; depth:12; isdataat:!1,relative; content:"project-details.website"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217219/; classtype:trojan-activity;sid:81080319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cpt.exe"; http_uri; depth:8; isdataat:!1,relative; content:"weirdoosmosis.co.za"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217218/; classtype:trojan-activity;sid:81080318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vbc.exe"; http_uri; depth:8; isdataat:!1,relative; content:"54.149.127.181"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217217/; classtype:trojan-activity;sid:81080317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js/_temp/jo.exe"; http_uri; depth:16; isdataat:!1,relative; content:"oramos.com.ar"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217216/; classtype:trojan-activity;sid:81080316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark10.ks"; http_uri; depth:25; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217214/; classtype:trojan-activity;sid:81080314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark11.ks"; http_uri; depth:25; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217215/; classtype:trojan-activity;sid:81080315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark6.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217210/; classtype:trojan-activity;sid:81080310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark7.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217211/; classtype:trojan-activity;sid:81080311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark8.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217212/; classtype:trojan-activity;sid:81080312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark9.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217213/; classtype:trojan-activity;sid:81080313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark4.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217208/; classtype:trojan-activity;sid:81080308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark5.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217209/; classtype:trojan-activity;sid:81080309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark2.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217206/; classtype:trojan-activity;sid:81080306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark3.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217207/; classtype:trojan-activity;sid:81080307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=geark1.ks"; http_uri; depth:24; isdataat:!1,relative; content:"neoeyruss.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217205/; classtype:trojan-activity;sid:81080305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wrkn157.exe"; http_uri; depth:12; isdataat:!1,relative; content:"185.225.17.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217204/; classtype:trojan-activity;sid:81080304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217203/; classtype:trojan-activity;sid:81080303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217201/; classtype:trojan-activity;sid:81080301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217202/; classtype:trojan-activity;sid:81080302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"5.135.230.131"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217199/; classtype:trojan-activity;sid:81080299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217200/; classtype:trojan-activity;sid:81080300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"5.135.230.131"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217198/; classtype:trojan-activity;sid:81080298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.mips"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217197/; classtype:trojan-activity;sid:81080297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217196/; classtype:trojan-activity;sid:81080296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"5.135.230.131"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217194/; classtype:trojan-activity;sid:81080294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217195/; classtype:trojan-activity;sid:81080295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217193/; classtype:trojan-activity;sid:81080293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"5.135.230.131"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217191/; classtype:trojan-activity;sid:81080291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217192/; classtype:trojan-activity;sid:81080292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.i586"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217190/; classtype:trojan-activity;sid:81080290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.x86"; http_uri; depth:10; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217189/; classtype:trojan-activity;sid:81080289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217188/; classtype:trojan-activity;sid:81080288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eagle.i686"; http_uri; depth:11; isdataat:!1,relative; content:"51.254.145.97"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217187/; classtype:trojan-activity;sid:81080287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/selly/mam.msi"; http_uri; depth:14; isdataat:!1,relative; content:"sellyp.duckdns.org"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217186/; classtype:trojan-activity;sid:81080286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/js/_temp/jo.exe"; http_uri; depth:16; isdataat:!1,relative; content:"www.oramos.com.ar"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217185/; classtype:trojan-activity;sid:81080285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/abc.exe"; http_uri; depth:8; isdataat:!1,relative; content:"ivglavsnab.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217184/; classtype:trojan-activity;sid:81080284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/css/grid/combo.exe"; http_uri; depth:30; isdataat:!1,relative; content:"www.huliot.in"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217183/; classtype:trojan-activity;sid:81080283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/la/total.exe"; http_uri; depth:13; isdataat:!1,relative; content:"maklryanb.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217182/; classtype:trojan-activity;sid:81080282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/signal/$wz$level.exe"; http_uri; depth:21; isdataat:!1,relative; content:"tradeservices.icu"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217181/; classtype:trojan-activity;sid:81080281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdf.exe"; http_uri; depth:8; isdataat:!1,relative; content:"www.vg-tour.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217180/; classtype:trojan-activity;sid:81080280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"//wp-content/css/grid/combo.exe"; http_uri; depth:31; isdataat:!1,relative; content:"www.huliot.in"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217179/; classtype:trojan-activity;sid:81080279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"165.22.68.44"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_16; reference:url, urlhaus.abuse.ch/url/217178/; classtype:trojan-activity;sid:81080278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pic/agip.exe"; http_uri; depth:13; isdataat:!1,relative; content:"to18.ir"; http_host; depth:7; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217177/; classtype:trojan-activity;sid:81080277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/po-invoice.doc"; http_uri; depth:15; isdataat:!1,relative; content:"wannemaker8.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217176/; classtype:trojan-activity;sid:81080276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ads/adshow2.dat"; http_uri; depth:16; isdataat:!1,relative; content:"technokain.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217174/; classtype:trojan-activity;sid:81080274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/download/tv_5.0.9104.exe"; http_uri; depth:25; isdataat:!1,relative; content:"www.aliosoft.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217173/; classtype:trojan-activity;sid:81080273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/download/tv_5.0.9104.exe"; http_uri; depth:25; isdataat:!1,relative; content:"aliosoft.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217172/; classtype:trojan-activity;sid:81080272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ol.exe"; http_uri; depth:7; isdataat:!1,relative; content:"www.hlgfco.xyz"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217171/; classtype:trojan-activity;sid:81080271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nhc.exe"; http_uri; depth:8; isdataat:!1,relative; content:"www.hlgfco.xyz"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217170/; classtype:trojan-activity;sid:81080270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ads/adshow1.dat"; http_uri; depth:16; isdataat:!1,relative; content:"technokain.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217169/; classtype:trojan-activity;sid:81080269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tro/1415182819.exe"; http_uri; depth:19; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217167/; classtype:trojan-activity;sid:81080267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tro/472336209.exe"; http_uri; depth:18; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217168/; classtype:trojan-activity;sid:81080268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mondayinvoice.doc"; http_uri; depth:18; isdataat:!1,relative; content:"globusholidays.in"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217166/; classtype:trojan-activity;sid:81080266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tro/28053421.exe"; http_uri; depth:17; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217165/; classtype:trojan-activity;sid:81080265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tro/1542783102.exe"; http_uri; depth:19; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217164/; classtype:trojan-activity;sid:81080264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2069787.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217161/; classtype:trojan-activity;sid:81080261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2071519.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217162/; classtype:trojan-activity;sid:81080262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2095639.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217163/; classtype:trojan-activity;sid:81080263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2048196.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217159/; classtype:trojan-activity;sid:81080259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2067522.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217160/; classtype:trojan-activity;sid:81080260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2042558.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217157/; classtype:trojan-activity;sid:81080257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2047282.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217158/; classtype:trojan-activity;sid:81080258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2039355.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217155/; classtype:trojan-activity;sid:81080255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2042334.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217156/; classtype:trojan-activity;sid:81080256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2026259.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217153/; classtype:trojan-activity;sid:81080253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%202626.doc"; http_uri; depth:23; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217154/; classtype:trojan-activity;sid:81080254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc.doc"; http_uri; depth:8; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217151/; classtype:trojan-activity;sid:81080251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/reserva%2017455.doc"; http_uri; depth:24; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217152/; classtype:trojan-activity;sid:81080252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc.php"; http_uri; depth:8; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217150/; classtype:trojan-activity;sid:81080250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ip.txt"; http_uri; depth:7; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217149/; classtype:trojan-activity;sid:81080249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ip1.txt"; http_uri; depth:8; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217148/; classtype:trojan-activity;sid:81080248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tro.php"; http_uri; depth:8; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217147/; classtype:trojan-activity;sid:81080247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tro.exe"; http_uri; depth:8; isdataat:!1,relative; content:"floresbelasflores.online"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217146/; classtype:trojan-activity;sid:81080246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/software2.exe"; http_uri; depth:14; isdataat:!1,relative; content:"104.244.76.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217145/; classtype:trojan-activity;sid:81080245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/66/1604970.hta"; http_uri; depth:15; isdataat:!1,relative; content:"5.56.133.137"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217144/; classtype:trojan-activity;sid:81080244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/doc/1.exe"; http_uri; depth:10; isdataat:!1,relative; content:"greenfood.sa.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217143/; classtype:trojan-activity;sid:81080243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdf.exe"; http_uri; depth:8; isdataat:!1,relative; content:"kwanfromhongkong.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217141/; classtype:trojan-activity;sid:81080241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1/btvbflat2cmajorbatchkeyx.exe"; http_uri; depth:31; isdataat:!1,relative; content:"orders.e-transaction.website"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217142/; classtype:trojan-activity;sid:81080242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdf.exe"; http_uri; depth:8; isdataat:!1,relative; content:"www.kwanfromhongkong.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217140/; classtype:trojan-activity;sid:81080240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdf.exe"; http_uri; depth:8; isdataat:!1,relative; content:"vg-tour.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217139/; classtype:trojan-activity;sid:81080239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdf.7z"; http_uri; depth:7; isdataat:!1,relative; content:"www.pandjihidjratmoko.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217138/; classtype:trojan-activity;sid:81080238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pdf.7z"; http_uri; depth:7; isdataat:!1,relative; content:"pandjihidjratmoko.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217137/; classtype:trojan-activity;sid:81080237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/includes/languages/got.exe"; http_uri; depth:27; isdataat:!1,relative; content:"diamondeyeperformance.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217136/; classtype:trojan-activity;sid:81080236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/kav/keinn.png"; http_uri; depth:25; isdataat:!1,relative; content:"nanodivulga.ufn.edu.br"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217135/; classtype:trojan-activity;sid:81080235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/invoice-2033456.doc"; http_uri; depth:20; isdataat:!1,relative; content:"konafgorylatech.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217134/; classtype:trojan-activity;sid:81080234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/telecharger/drop.exe"; http_uri; depth:21; isdataat:!1,relative; content:"vousinvest.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217132/; classtype:trojan-activity;sid:81080232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/logszabfguekj.exe"; http_uri; depth:18; isdataat:!1,relative; content:"216.170.114.196"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217131/; classtype:trojan-activity;sid:81080231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mn/1.exe"; http_uri; depth:9; isdataat:!1,relative; content:"lehmanlaw.mn"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217129/; classtype:trojan-activity;sid:81080229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/includes/local/po401836190.exe"; http_uri; depth:31; isdataat:!1,relative; content:"diamondeyeperformance.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217127/; classtype:trojan-activity;sid:81080227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rundll32.exe"; http_uri; depth:13; isdataat:!1,relative; content:"194.67.206.249"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217126/; classtype:trojan-activity;sid:81080226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mvdclip.exe"; http_uri; depth:12; isdataat:!1,relative; content:"194.67.206.249"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217125/; classtype:trojan-activity;sid:81080225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/questionnaire%20de%20compatibilite%20immigration%20canada.doc"; http_uri; depth:62; isdataat:!1,relative; content:"u700222964.hostingerapp.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217124/; classtype:trojan-activity;sid:81080224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/b/kk.png"; http_uri; depth:9; isdataat:!1,relative; content:"bordargroup-com.ga"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217123/; classtype:trojan-activity;sid:81080223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fud/webs.exe"; http_uri; depth:13; isdataat:!1,relative; content:"greenfood.sa.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217122/; classtype:trojan-activity;sid:81080222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9201.bin"; http_uri; depth:9; isdataat:!1,relative; content:"billingsupport.ru"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217120/; classtype:trojan-activity;sid:81080220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/photocopie.exe"; http_uri; depth:15; isdataat:!1,relative; content:"u700222964.hostingerapp.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217119/; classtype:trojan-activity;sid:81080219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217118/; classtype:trojan-activity;sid:81080218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217117/; classtype:trojan-activity;sid:81080217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.sh4"; http_uri; depth:19; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217116/; classtype:trojan-activity;sid:81080216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/setup/chromesetup.exe"; http_uri; depth:22; isdataat:!1,relative; content:"cklinosleeve.icu"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217115/; classtype:trojan-activity;sid:81080215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/roqav76/media/css/remittance%20for%20eft%20150819.jar"; http_uri; depth:65; isdataat:!1,relative; content:"sportsite2001.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217114/; classtype:trojan-activity;sid:81080214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/remittance_advice.jar"; http_uri; depth:58; isdataat:!1,relative; content:"mayhutthoilieu.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217113/; classtype:trojan-activity;sid:81080213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wordpress/wp-content/plugins/ubh/remittance_advice.jar"; http_uri; depth:55; isdataat:!1,relative; content:"encogo.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217112/; classtype:trojan-activity;sid:81080212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/remittance_advice.jar"; http_uri; depth:58; isdataat:!1,relative; content:"hbjcmsa.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217111/; classtype:trojan-activity;sid:81080211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/beez/html/com_contact/remittance_advice.jar"; http_uri; depth:54; isdataat:!1,relative; content:"emirbilardo.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217110/; classtype:trojan-activity;sid:81080210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/phyno1507.exe"; http_uri; depth:14; isdataat:!1,relative; content:"5.56.133.130"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217109/; classtype:trojan-activity;sid:81080209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cig/okk/ok.exe"; http_uri; depth:15; isdataat:!1,relative; content:"tfvn.com.vn"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217108/; classtype:trojan-activity;sid:81080208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/blog_img/printnito.exe"; http_uri; depth:23; isdataat:!1,relative; content:"www.rissin.jp"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217107/; classtype:trojan-activity;sid:81080207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bw1507.exe"; http_uri; depth:11; isdataat:!1,relative; content:"5.56.133.130"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217106/; classtype:trojan-activity;sid:81080206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/awoo.sh"; http_uri; depth:8; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217105/; classtype:trojan-activity;sid:81080205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.x86"; http_uri; depth:19; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217104/; classtype:trojan-activity;sid:81080204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.ppc"; http_uri; depth:19; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217103/; classtype:trojan-activity;sid:81080203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.spc"; http_uri; depth:19; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217102/; classtype:trojan-activity;sid:81080202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.mpsl"; http_uri; depth:20; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217101/; classtype:trojan-activity;sid:81080201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.mips"; http_uri; depth:20; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217100/; classtype:trojan-activity;sid:81080200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.m68k"; http_uri; depth:20; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217099/; classtype:trojan-activity;sid:81080199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.arm7"; http_uri; depth:20; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217098/; classtype:trojan-activity;sid:81080198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.arm6"; http_uri; depth:20; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217097/; classtype:trojan-activity;sid:81080197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.arm5"; http_uri; depth:20; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217096/; classtype:trojan-activity;sid:81080196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nope/daddyscum.arm"; http_uri; depth:19; isdataat:!1,relative; content:"142.11.213.50"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217095/; classtype:trojan-activity;sid:81080195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wzodnehzs"; http_uri; depth:10; isdataat:!1,relative; content:"42.159.113.74"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217094/; classtype:trojan-activity;sid:81080194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wzodnehzr"; http_uri; depth:10; isdataat:!1,relative; content:"42.159.113.74"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217093/; classtype:trojan-activity;sid:81080193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wzodnehz"; http_uri; depth:9; isdataat:!1,relative; content:"42.159.113.74"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217092/; classtype:trojan-activity;sid:81080192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bin.exe"; http_uri; depth:8; isdataat:!1,relative; content:"37.44.215.132"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217091/; classtype:trojan-activity;sid:81080191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.x86"; http_uri; depth:16; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217090/; classtype:trojan-activity;sid:81080190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217089/; classtype:trojan-activity;sid:81080189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.spc"; http_uri; depth:16; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217088/; classtype:trojan-activity;sid:81080188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mips"; http_uri; depth:17; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217087/; classtype:trojan-activity;sid:81080187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217086/; classtype:trojan-activity;sid:81080186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217085/; classtype:trojan-activity;sid:81080185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217084/; classtype:trojan-activity;sid:81080184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm"; http_uri; depth:16; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217083/; classtype:trojan-activity;sid:81080183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"157.230.161.187"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217082/; classtype:trojan-activity;sid:81080182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217081/; classtype:trojan-activity;sid:81080181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217080/; classtype:trojan-activity;sid:81080180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217079/; classtype:trojan-activity;sid:81080179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"67.207.86.120"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217078/; classtype:trojan-activity;sid:81080178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"67.205.175.11"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217077/; classtype:trojan-activity;sid:81080177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217076/; classtype:trojan-activity;sid:81080176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"67.205.175.11"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217075/; classtype:trojan-activity;sid:81080175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217074/; classtype:trojan-activity;sid:81080174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217073/; classtype:trojan-activity;sid:81080173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"67.205.175.11"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217072/; classtype:trojan-activity;sid:81080172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217071/; classtype:trojan-activity;sid:81080171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217070/; classtype:trojan-activity;sid:81080170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.i586"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217069/; classtype:trojan-activity;sid:81080169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hgjtpfjgt=1"; http_uri; depth:12; isdataat:!1,relative; content:"bespokeplate.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217068/; classtype:trojan-activity;sid:81080168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1tbhu303oxqlworrshnb0wfaescmnsyib/view"; http_uri; depth:46; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217067/; classtype:trojan-activity;sid:81080167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/15-bgomo9ng-0vqwiyn_esvjy8zl8e1uq/view"; http_uri; depth:46; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217066/; classtype:trojan-activity;sid:81080166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ks3ly9ltmhd_tspep3kienrpb75xllii/view"; http_uri; depth:46; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217065/; classtype:trojan-activity;sid:81080165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/file/d/1ottivgilwsmkcysaa9rsrukuvqgoroud/viewusp=sharing/"; http_uri; depth:58; isdataat:!1,relative; content:"drive.google.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217064/; classtype:trojan-activity;sid:81080164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.x86"; http_uri; depth:14; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217063/; classtype:trojan-activity;sid:81080163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217062/; classtype:trojan-activity;sid:81080162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217061/; classtype:trojan-activity;sid:81080161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217060/; classtype:trojan-activity;sid:81080160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"67.205.175.11"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217059/; classtype:trojan-activity;sid:81080159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"67.207.86.120"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217058/; classtype:trojan-activity;sid:81080158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"67.205.175.11"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217057/; classtype:trojan-activity;sid:81080157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"67.205.175.11"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217056/; classtype:trojan-activity;sid:81080156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"67.205.175.11"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217055/; classtype:trojan-activity;sid:81080155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.31.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217054/; classtype:trojan-activity;sid:81080154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217053/; classtype:trojan-activity;sid:81080153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217051/; classtype:trojan-activity;sid:81080151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mips"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.31.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217052/; classtype:trojan-activity;sid:81080152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"67.207.86.120"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217050/; classtype:trojan-activity;sid:81080150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.sparc"; http_uri; depth:16; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217049/; classtype:trojan-activity;sid:81080149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217048/; classtype:trojan-activity;sid:81080148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217047/; classtype:trojan-activity;sid:81080147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217046/; classtype:trojan-activity;sid:81080146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"68.183.88.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217045/; classtype:trojan-activity;sid:81080145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"68.183.88.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217044/; classtype:trojan-activity;sid:81080144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.mips"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217043/; classtype:trojan-activity;sid:81080143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"68.183.88.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217042/; classtype:trojan-activity;sid:81080142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.i586"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.31.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217041/; classtype:trojan-activity;sid:81080141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.arm4"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217040/; classtype:trojan-activity;sid:81080140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"67.207.86.120"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217039/; classtype:trojan-activity;sid:81080139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.31.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217037/; classtype:trojan-activity;sid:81080137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x86"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.31.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217038/; classtype:trojan-activity;sid:81080138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217035/; classtype:trojan-activity;sid:81080135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.x86"; http_uri; depth:16; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217036/; classtype:trojan-activity;sid:81080136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217034/; classtype:trojan-activity;sid:81080134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217032/; classtype:trojan-activity;sid:81080132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.spc"; http_uri; depth:16; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217033/; classtype:trojan-activity;sid:81080133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217030/; classtype:trojan-activity;sid:81080130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mips"; http_uri; depth:17; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217031/; classtype:trojan-activity;sid:81080131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217029/; classtype:trojan-activity;sid:81080129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217028/; classtype:trojan-activity;sid:81080128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm"; http_uri; depth:16; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217026/; classtype:trojan-activity;sid:81080126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"45.80.37.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217027/; classtype:trojan-activity;sid:81080127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"67.207.86.120"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217025/; classtype:trojan-activity;sid:81080125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217024/; classtype:trojan-activity;sid:81080124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217023/; classtype:trojan-activity;sid:81080123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217022/; classtype:trojan-activity;sid:81080122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217021/; classtype:trojan-activity;sid:81080121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217020/; classtype:trojan-activity;sid:81080120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.i686"; http_uri; depth:15; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217019/; classtype:trojan-activity;sid:81080119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217018/; classtype:trojan-activity;sid:81080118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217017/; classtype:trojan-activity;sid:81080117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217016/; classtype:trojan-activity;sid:81080116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217015/; classtype:trojan-activity;sid:81080115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"104.168.169.153"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217014/; classtype:trojan-activity;sid:81080114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/assailant.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"176.32.33.134"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217013/; classtype:trojan-activity;sid:81080113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"165.22.96.111"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217012/; classtype:trojan-activity;sid:81080112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217011/; classtype:trojan-activity;sid:81080111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ppc"; http_uri; depth:4; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217010/; classtype:trojan-activity;sid:81080110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217009/; classtype:trojan-activity;sid:81080109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm7"; http_uri; depth:5; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217008/; classtype:trojan-activity;sid:81080108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm6"; http_uri; depth:5; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217007/; classtype:trojan-activity;sid:81080107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm5"; http_uri; depth:5; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217006/; classtype:trojan-activity;sid:81080106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm4"; http_uri; depth:5; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217005/; classtype:trojan-activity;sid:81080105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mpsl"; http_uri; depth:5; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217004/; classtype:trojan-activity;sid:81080104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217003/; classtype:trojan-activity;sid:81080103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.31.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217002/; classtype:trojan-activity;sid:81080102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/main/arm7"; http_uri; depth:10; isdataat:!1,relative; content:"89.248.174.198"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217000/; classtype:trojan-activity;sid:81080100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/main/mips"; http_uri; depth:10; isdataat:!1,relative; content:"89.248.174.198"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/217001/; classtype:trojan-activity;sid:81080101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/main/arm"; http_uri; depth:9; isdataat:!1,relative; content:"89.248.174.198"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216999/; classtype:trojan-activity;sid:81080099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/main/x86"; http_uri; depth:9; isdataat:!1,relative; content:"89.248.174.198"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216998/; classtype:trojan-activity;sid:81080098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/accn/kuojin.mips"; http_uri; depth:17; isdataat:!1,relative; content:"93.174.93.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216995/; classtype:trojan-activity;sid:81080095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/accn/kuojin.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"93.174.93.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216996/; classtype:trojan-activity;sid:81080096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/accn/kuojin.x86"; http_uri; depth:16; isdataat:!1,relative; content:"93.174.93.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216997/; classtype:trojan-activity;sid:81080097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/accn/kuojin.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"93.174.93.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216994/; classtype:trojan-activity;sid:81080094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/accn/kuojin.arm"; http_uri; depth:16; isdataat:!1,relative; content:"93.174.93.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216993/; classtype:trojan-activity;sid:81080093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/english.zip"; http_uri; depth:12; isdataat:!1,relative; content:"ikwariabhija.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216992/; classtype:trojan-activity;sid:81080092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/byte%20cred.exe"; http_uri; depth:16; isdataat:!1,relative; content:"febsms.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216990/; classtype:trojan-activity;sid:81080090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/client.jar"; http_uri; depth:11; isdataat:!1,relative; content:"febsms.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216991/; classtype:trojan-activity;sid:81080091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/paylo.exe"; http_uri; depth:10; isdataat:!1,relative; content:"febsms.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216989/; classtype:trojan-activity;sid:81080089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bin_outputbde572f.exe"; http_uri; depth:22; isdataat:!1,relative; content:"babusrtop.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216987/; classtype:trojan-activity;sid:81080087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/obaso.exe"; http_uri; depth:10; isdataat:!1,relative; content:"goodfreightthailand.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216986/; classtype:trojan-activity;sid:81080086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brexit/super.exe"; http_uri; depth:17; isdataat:!1,relative; content:"complet.avessas.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216985/; classtype:trojan-activity;sid:81080085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brexit/obcool.exe"; http_uri; depth:18; isdataat:!1,relative; content:"complet.avessas.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216984/; classtype:trojan-activity;sid:81080084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brexit/whe2.exe"; http_uri; depth:16; isdataat:!1,relative; content:"complet.avessas.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216983/; classtype:trojan-activity;sid:81080083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/brexit/obi.exe"; http_uri; depth:15; isdataat:!1,relative; content:"complet.avessas.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216982/; classtype:trojan-activity;sid:81080082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.spc"; http_uri; depth:11; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216981/; classtype:trojan-activity;sid:81080081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.x86"; http_uri; depth:11; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216980/; classtype:trojan-activity;sid:81080080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216978/; classtype:trojan-activity;sid:81080078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216979/; classtype:trojan-activity;sid:81080079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.mips"; http_uri; depth:12; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216976/; classtype:trojan-activity;sid:81080076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.mpsl"; http_uri; depth:12; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216977/; classtype:trojan-activity;sid:81080077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216973/; classtype:trojan-activity;sid:81080073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.arm7"; http_uri; depth:12; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216974/; classtype:trojan-activity;sid:81080074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216975/; classtype:trojan-activity;sid:81080075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.arm"; http_uri; depth:11; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216971/; classtype:trojan-activity;sid:81080071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/htp/ab.arm5"; http_uri; depth:12; isdataat:!1,relative; content:"45.80.37.166"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216972/; classtype:trojan-activity;sid:81080072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/obaso.exe"; http_uri; depth:10; isdataat:!1,relative; content:"yogeshcycles.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_15; reference:url, urlhaus.abuse.ch/url/216970/; classtype:trojan-activity;sid:81080070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216969/; classtype:trojan-activity;sid:81080069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216968/; classtype:trojan-activity;sid:81080068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216966/; classtype:trojan-activity;sid:81080066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216964/; classtype:trojan-activity;sid:81080064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216965/; classtype:trojan-activity;sid:81080065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216963/; classtype:trojan-activity;sid:81080063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216962/; classtype:trojan-activity;sid:81080062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216961/; classtype:trojan-activity;sid:81080061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216960/; classtype:trojan-activity;sid:81080060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216959/; classtype:trojan-activity;sid:81080059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216958/; classtype:trojan-activity;sid:81080058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216957/; classtype:trojan-activity;sid:81080057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.199.39"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216955/; classtype:trojan-activity;sid:81080055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/frontend/js/jk.exe"; http_uri; depth:19; isdataat:!1,relative; content:"mis.us"; http_host; depth:6; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216953/; classtype:trojan-activity;sid:81080053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"169.239.128.18"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216952/; classtype:trojan-activity;sid:81080052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rfds34hfgdf34.exe"; http_uri; depth:18; isdataat:!1,relative; content:"fdghdf344.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216951/; classtype:trojan-activity;sid:81080051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files/gift/brr.exe"; http_uri; depth:19; isdataat:!1,relative; content:"redvalidator.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216950/; classtype:trojan-activity;sid:81080050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/04/vv.txt"; http_uri; depth:10; isdataat:!1,relative; content:"149.28.198.35.bc.googleusercontent.com"; http_host; depth:38; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216948/; classtype:trojan-activity;sid:81080048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/04/vv.xsl"; http_uri; depth:10; isdataat:!1,relative; content:"149.28.198.35.bc.googleusercontent.com"; http_host; depth:38; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216949/; classtype:trojan-activity;sid:81080049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/04/v.txt"; http_uri; depth:9; isdataat:!1,relative; content:"149.28.198.35.bc.googleusercontent.com"; http_host; depth:38; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216946/; classtype:trojan-activity;sid:81080046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/04/v.xsl"; http_uri; depth:9; isdataat:!1,relative; content:"149.28.198.35.bc.googleusercontent.com"; http_host; depth:38; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216947/; classtype:trojan-activity;sid:81080047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/adware.exe"; http_uri; depth:11; isdataat:!1,relative; content:"u700222964.hostingerapp.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216945/; classtype:trojan-activity;sid:81080045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mediaplayer.exe"; http_uri; depth:16; isdataat:!1,relative; content:"u700222964.hostingerapp.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216944/; classtype:trojan-activity;sid:81080044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/photoshop.exe"; http_uri; depth:14; isdataat:!1,relative; content:"u700222964.hostingerapp.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216943/; classtype:trojan-activity;sid:81080043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/photos.exe"; http_uri; depth:11; isdataat:!1,relative; content:"u700222964.hostingerapp.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216942/; classtype:trojan-activity;sid:81080042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images.exe"; http_uri; depth:11; isdataat:!1,relative; content:"u700222964.hostingerapp.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216941/; classtype:trojan-activity;sid:81080041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lecteur.exe"; http_uri; depth:12; isdataat:!1,relative; content:"u700222964.hostingerapp.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216939/; classtype:trojan-activity;sid:81080039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windis5dfg_signed.exe"; http_uri; depth:22; isdataat:!1,relative; content:"hjkg456hfg.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216938/; classtype:trojan-activity;sid:81080038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/_output3236730pp.exe"; http_uri; depth:21; isdataat:!1,relative; content:"hjkg456hfg.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216937/; classtype:trojan-activity;sid:81080037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/logg"; http_uri; depth:5; isdataat:!1,relative; content:"218.61.16.142"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216936/; classtype:trojan-activity;sid:81080036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/luyou"; http_uri; depth:6; isdataat:!1,relative; content:"218.61.16.142"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216935/; classtype:trojan-activity;sid:81080035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/winexe.exe"; http_uri; depth:11; isdataat:!1,relative; content:"218.61.16.142"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216934/; classtype:trojan-activity;sid:81080034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a2nw3245dfg_signed.exe"; http_uri; depth:23; isdataat:!1,relative; content:"hjkg456hfg.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216933/; classtype:trojan-activity;sid:81080033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m.exe"; http_uri; depth:6; isdataat:!1,relative; content:"f0316439.xsph.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216932/; classtype:trojan-activity;sid:81080032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/zsa/huuu.com"; http_uri; depth:24; isdataat:!1,relative; content:"www.lockoutindia.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216931/; classtype:trojan-activity;sid:81080031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/actual.exe"; http_uri; depth:11; isdataat:!1,relative; content:"2.56.213.96"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216930/; classtype:trojan-activity;sid:81080030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"142.11.237.148"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216929/; classtype:trojan-activity;sid:81080029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"142.11.237.148"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216928/; classtype:trojan-activity;sid:81080028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"206.189.92.70"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216927/; classtype:trojan-activity;sid:81080027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216926/; classtype:trojan-activity;sid:81080026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"206.189.92.70"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216925/; classtype:trojan-activity;sid:81080025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216924/; classtype:trojan-activity;sid:81080024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"192.241.253.214"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216923/; classtype:trojan-activity;sid:81080023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"192.241.253.214"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216922/; classtype:trojan-activity;sid:81080022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216921/; classtype:trojan-activity;sid:81080021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"206.189.92.70"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216920/; classtype:trojan-activity;sid:81080020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216919/; classtype:trojan-activity;sid:81080019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216918/; classtype:trojan-activity;sid:81080018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216917/; classtype:trojan-activity;sid:81080017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"206.189.92.70"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216916/; classtype:trojan-activity;sid:81080016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"206.189.92.70"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216915/; classtype:trojan-activity;sid:81080015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216914/; classtype:trojan-activity;sid:81080014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216913/; classtype:trojan-activity;sid:81080013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216912/; classtype:trojan-activity;sid:81080012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216911/; classtype:trojan-activity;sid:81080011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"142.11.237.148"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216910/; classtype:trojan-activity;sid:81080010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216909/; classtype:trojan-activity;sid:81080009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216908/; classtype:trojan-activity;sid:81080008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216907/; classtype:trojan-activity;sid:81080007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216906/; classtype:trojan-activity;sid:81080006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216905/; classtype:trojan-activity;sid:81080005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"192.241.253.214"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216904/; classtype:trojan-activity;sid:81080004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mips"; http_uri; depth:17; isdataat:!1,relative; content:"192.241.253.214"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216903/; classtype:trojan-activity;sid:81080003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"192.241.253.214"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216902/; classtype:trojan-activity;sid:81080002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.x86"; http_uri; depth:16; isdataat:!1,relative; content:"192.241.253.214"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216901/; classtype:trojan-activity;sid:81080001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216900/; classtype:trojan-activity;sid:81080000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216899/; classtype:trojan-activity;sid:81079999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216898/; classtype:trojan-activity;sid:81079998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216897/; classtype:trojan-activity;sid:81079997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216896/; classtype:trojan-activity;sid:81079996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216895/; classtype:trojan-activity;sid:81079995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216894/; classtype:trojan-activity;sid:81079994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216893/; classtype:trojan-activity;sid:81079993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216892/; classtype:trojan-activity;sid:81079992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216891/; classtype:trojan-activity;sid:81079991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216890/; classtype:trojan-activity;sid:81079990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"45.55.34.44"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216888/; classtype:trojan-activity;sid:81079988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.37.6"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216889/; classtype:trojan-activity;sid:81079989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216887/; classtype:trojan-activity;sid:81079987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216886/; classtype:trojan-activity;sid:81079986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"178.128.115.183"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216885/; classtype:trojan-activity;sid:81079985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"192.241.253.214"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216884/; classtype:trojan-activity;sid:81079984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/down/marvel.exe"; http_uri; depth:16; isdataat:!1,relative; content:"onep.zzccjd.cn"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216883/; classtype:trojan-activity;sid:81079983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cf.txt"; http_uri; depth:7; isdataat:!1,relative; content:"www.pedidoslalacteo.com.ar"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216882/; classtype:trojan-activity;sid:81079982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/downloads/pindo.exe"; http_uri; depth:20; isdataat:!1,relative; content:"prevacytools.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216881/; classtype:trojan-activity;sid:81079981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ppx.ps1"; http_uri; depth:8; isdataat:!1,relative; content:"timekeeper.ug"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216880/; classtype:trojan-activity;sid:81079980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windows.defender"; http_uri; depth:17; isdataat:!1,relative; content:"bulutlogistic.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216879/; classtype:trojan-activity;sid:81079979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"194.99.22.138"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216878/; classtype:trojan-activity;sid:81079978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/vcc2.exe"; http_uri; depth:28; isdataat:!1,relative; content:"innovice.eu"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216877/; classtype:trojan-activity;sid:81079977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/p7rajlcekm3313es40lsc08gkml5nocu/1563062400000/11136554591608719535/*/1amsk9jxdffbtev0vzisj2-hkkhvyuwvje=download"; http_uri; depth:161; isdataat:!1,relative; content:"doc-0k-7s-docs.googleusercontent.com"; http_host; depth:36; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216876/; classtype:trojan-activity;sid:81079976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cd/0/get/akq0kpl7jnh9hpaq2etoeyrsj-glgpcagprc6e9kjp_awvm9zxa7vv3sttomuyahyrlnvw2uw37gbotvwup67ogsozzxvbgvdyxgdlxnkxg9pg/filedl=1"; http_uri; depth:129; isdataat:!1,relative; content:"uc1661f9b02565caee1bfefd045e.dl.dropboxusercontent.com"; http_host; depth:54; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216875/; classtype:trojan-activity;sid:81079975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/updatear=bg834468474brrastreamentoobjetos/sistemas.html"; http_uri; depth:56; isdataat:!1,relative; content:"www.objetosrastreamento.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_14; reference:url, urlhaus.abuse.ch/url/216874/; classtype:trojan-activity;sid:81079974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"159.65.234.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216872/; classtype:trojan-activity;sid:81079972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"159.65.234.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216873/; classtype:trojan-activity;sid:81079973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/test.exe"; http_uri; depth:28; isdataat:!1,relative; content:"innovice.eu"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216871/; classtype:trojan-activity;sid:81079971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windis435gfd.exe"; http_uri; depth:17; isdataat:!1,relative; content:"hjkg456hfg.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216870/; classtype:trojan-activity;sid:81079970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"51.79.71.155"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216869/; classtype:trojan-activity;sid:81079969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"51.79.71.155"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216868/; classtype:trojan-activity;sid:81079968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"51.79.71.155"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216867/; classtype:trojan-activity;sid:81079967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"51.79.71.155"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216866/; classtype:trojan-activity;sid:81079966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"51.79.71.155"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216865/; classtype:trojan-activity;sid:81079965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/stelar.exe"; http_uri; depth:11; isdataat:!1,relative; content:"senddocs.icu"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216864/; classtype:trojan-activity;sid:81079964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/crack.exe"; http_uri; depth:29; isdataat:!1,relative; content:"innovice.eu"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216863/; classtype:trojan-activity;sid:81079963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/msr.exe"; http_uri; depth:27; isdataat:!1,relative; content:"innovice.eu"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216862/; classtype:trojan-activity;sid:81079962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wrkob.exe"; http_uri; depth:10; isdataat:!1,relative; content:"185.225.17.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216861/; classtype:trojan-activity;sid:81079961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ys808e"; http_uri; depth:7; isdataat:!1,relative; content:"23.247.66.110"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216860/; classtype:trojan-activity;sid:81079960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/y4mpggmzwukhbpcektitig36s-axvzan2zcrbnm2jrgleeqqackfgnsw8bbg-gkd25zpp69sriqcn3qlju2abszr1bmvv_b0mpyoxdwzzx2kqledoiluluctvfrjpfkadb8fnt-7srngvh2wwf4biy3kzm09itahuwrwq3h3ziifrrew4wpq4rgq8-ogi7bxwhuppyey83eethg9zvps-fqyq/purchase%20order.r00download|26|psid=1"; http_uri; depth:257; isdataat:!1,relative; content:"abgmnq.ch.files.1drv.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216859/; classtype:trojan-activity;sid:81079959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216858/; classtype:trojan-activity;sid:81079958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm5.b"; http_uri; depth:12; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216855/; classtype:trojan-activity;sid:81079955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm7.b"; http_uri; depth:12; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216856/; classtype:trojan-activity;sid:81079956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/mpsl.b"; http_uri; depth:12; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216857/; classtype:trojan-activity;sid:81079957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216852/; classtype:trojan-activity;sid:81079952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.x86"; http_uri; depth:14; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216853/; classtype:trojan-activity;sid:81079953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm.b"; http_uri; depth:11; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216854/; classtype:trojan-activity;sid:81079954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216849/; classtype:trojan-activity;sid:81079949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216850/; classtype:trojan-activity;sid:81079950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.spc"; http_uri; depth:14; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216851/; classtype:trojan-activity;sid:81079951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216846/; classtype:trojan-activity;sid:81079946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216847/; classtype:trojan-activity;sid:81079947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.mips"; http_uri; depth:15; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216848/; classtype:trojan-activity;sid:81079948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.arm"; http_uri; depth:14; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216844/; classtype:trojan-activity;sid:81079944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/apep.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"80.211.36.172"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216845/; classtype:trojan-activity;sid:81079945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hxbu/task.hta"; http_uri; depth:14; isdataat:!1,relative; content:"34.68.116.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216842/; classtype:trojan-activity;sid:81079942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins.sh"; http_uri; depth:8; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216843/; classtype:trojan-activity;sid:81079943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216841/; classtype:trojan-activity;sid:81079941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.m68k"; http_uri; depth:22; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216840/; classtype:trojan-activity;sid:81079940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216839/; classtype:trojan-activity;sid:81079939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216838/; classtype:trojan-activity;sid:81079938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216837/; classtype:trojan-activity;sid:81079937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216836/; classtype:trojan-activity;sid:81079936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm4"; http_uri; depth:22; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216835/; classtype:trojan-activity;sid:81079935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mpsl"; http_uri; depth:22; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216834/; classtype:trojan-activity;sid:81079934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216833/; classtype:trojan-activity;sid:81079933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm7"; http_uri; depth:12; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216832/; classtype:trojan-activity;sid:81079932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.mipsel"; http_uri; depth:14; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216830/; classtype:trojan-activity;sid:81079930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216831/; classtype:trojan-activity;sid:81079931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.mpsl"; http_uri; depth:19; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216829/; classtype:trojan-activity;sid:81079929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"68.183.234.68"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216828/; classtype:trojan-activity;sid:81079928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216827/; classtype:trojan-activity;sid:81079927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.spc"; http_uri; depth:16; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216826/; classtype:trojan-activity;sid:81079926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216825/; classtype:trojan-activity;sid:81079925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216824/; classtype:trojan-activity;sid:81079924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mips"; http_uri; depth:17; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216823/; classtype:trojan-activity;sid:81079923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216822/; classtype:trojan-activity;sid:81079922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216821/; classtype:trojan-activity;sid:81079921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216820/; classtype:trojan-activity;sid:81079920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm"; http_uri; depth:16; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216819/; classtype:trojan-activity;sid:81079919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.x86"; http_uri; depth:16; isdataat:!1,relative; content:"159.65.135.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216818/; classtype:trojan-activity;sid:81079918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/spc.akira.ak"; http_uri; depth:20; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216816/; classtype:trojan-activity;sid:81079916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/x86.akira.ak"; http_uri; depth:20; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216817/; classtype:trojan-activity;sid:81079917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/mips.akira.ak"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216813/; classtype:trojan-activity;sid:81079913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/ppc.akira.ak"; http_uri; depth:20; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216814/; classtype:trojan-activity;sid:81079914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/sh4.akira.ak"; http_uri; depth:20; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216815/; classtype:trojan-activity;sid:81079915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/m68k.akira.ak"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216812/; classtype:trojan-activity;sid:81079912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/mpsl.akira.ak"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216811/; classtype:trojan-activity;sid:81079911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/arm6.akira.ak"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216809/; classtype:trojan-activity;sid:81079909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/arm7.akira.ak"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216810/; classtype:trojan-activity;sid:81079910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/arm.akira.ak"; http_uri; depth:20; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216807/; classtype:trojan-activity;sid:81079907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/akbins/arm5.akira.ak"; http_uri; depth:21; isdataat:!1,relative; content:"134.209.93.155"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216808/; classtype:trojan-activity;sid:81079908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/java8000"; http_uri; depth:9; isdataat:!1,relative; content:"23.247.66.110"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216806/; classtype:trojan-activity;sid:81079906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216805/; classtype:trojan-activity;sid:81079905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216803/; classtype:trojan-activity;sid:81079903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.spc"; http_uri; depth:14; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216804/; classtype:trojan-activity;sid:81079904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216802/; classtype:trojan-activity;sid:81079902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216800/; classtype:trojan-activity;sid:81079900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.mips"; http_uri; depth:15; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216801/; classtype:trojan-activity;sid:81079901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216799/; classtype:trojan-activity;sid:81079899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216798/; classtype:trojan-activity;sid:81079898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216797/; classtype:trojan-activity;sid:81079897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.arm"; http_uri; depth:14; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216796/; classtype:trojan-activity;sid:81079896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/dsec.x86"; http_uri; depth:14; isdataat:!1,relative; content:"206.189.118.148"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216795/; classtype:trojan-activity;sid:81079895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.x86"; http_uri; depth:17; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216794/; classtype:trojan-activity;sid:81079894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.ppc"; http_uri; depth:17; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216793/; classtype:trojan-activity;sid:81079893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.spc"; http_uri; depth:17; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216792/; classtype:trojan-activity;sid:81079892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.sh4"; http_uri; depth:17; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216791/; classtype:trojan-activity;sid:81079891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.mpsl"; http_uri; depth:18; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216790/; classtype:trojan-activity;sid:81079890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.mips"; http_uri; depth:18; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216789/; classtype:trojan-activity;sid:81079889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.m68k"; http_uri; depth:18; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216788/; classtype:trojan-activity;sid:81079888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.arm7"; http_uri; depth:18; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216787/; classtype:trojan-activity;sid:81079887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.arm6"; http_uri; depth:18; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216786/; classtype:trojan-activity;sid:81079886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.arm5"; http_uri; depth:18; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216785/; classtype:trojan-activity;sid:81079885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/z4k.arm"; http_uri; depth:17; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216784/; classtype:trojan-activity;sid:81079884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/r00t"; http_uri; depth:14; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216783/; classtype:trojan-activity;sid:81079883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.configs/adb"; http_uri; depth:13; isdataat:!1,relative; content:"hulo.r00ts.online"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216782/; classtype:trojan-activity;sid:81079882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216780/; classtype:trojan-activity;sid:81079880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm5"; http_uri; depth:12; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216781/; classtype:trojan-activity;sid:81079881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.sparc"; http_uri; depth:13; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216779/; classtype:trojan-activity;sid:81079879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216778/; classtype:trojan-activity;sid:81079878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.i586"; http_uri; depth:12; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216777/; classtype:trojan-activity;sid:81079877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.i686"; http_uri; depth:12; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216776/; classtype:trojan-activity;sid:81079876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216775/; classtype:trojan-activity;sid:81079875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.x86_64"; http_uri; depth:14; isdataat:!1,relative; content:"185.172.110.224"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216774/; classtype:trojan-activity;sid:81079874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216773/; classtype:trojan-activity;sid:81079873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216772/; classtype:trojan-activity;sid:81079872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216771/; classtype:trojan-activity;sid:81079871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"46.101.5.215"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216769/; classtype:trojan-activity;sid:81079869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"46.101.5.215"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216770/; classtype:trojan-activity;sid:81079870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"46.101.5.215"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216768/; classtype:trojan-activity;sid:81079868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216766/; classtype:trojan-activity;sid:81079866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216767/; classtype:trojan-activity;sid:81079867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216765/; classtype:trojan-activity;sid:81079865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"46.101.5.215"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216764/; classtype:trojan-activity;sid:81079864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216762/; classtype:trojan-activity;sid:81079862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"46.101.5.215"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216763/; classtype:trojan-activity;sid:81079863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216760/; classtype:trojan-activity;sid:81079860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"46.101.5.215"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216761/; classtype:trojan-activity;sid:81079861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"46.101.5.215"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216759/; classtype:trojan-activity;sid:81079859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216758/; classtype:trojan-activity;sid:81079858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"206.189.30.212"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216757/; classtype:trojan-activity;sid:81079857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216756/; classtype:trojan-activity;sid:81079856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216755/; classtype:trojan-activity;sid:81079855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"167.99.64.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216754/; classtype:trojan-activity;sid:81079854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216752/; classtype:trojan-activity;sid:81079852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x32"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216753/; classtype:trojan-activity;sid:81079853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216751/; classtype:trojan-activity;sid:81079851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216750/; classtype:trojan-activity;sid:81079850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216749/; classtype:trojan-activity;sid:81079849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.64.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216747/; classtype:trojan-activity;sid:81079847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216748/; classtype:trojan-activity;sid:81079848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.64.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216746/; classtype:trojan-activity;sid:81079846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216745/; classtype:trojan-activity;sid:81079845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x86"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216744/; classtype:trojan-activity;sid:81079844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"167.99.64.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216743/; classtype:trojan-activity;sid:81079843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"167.99.64.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216742/; classtype:trojan-activity;sid:81079842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216741/; classtype:trojan-activity;sid:81079841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.64.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216740/; classtype:trojan-activity;sid:81079840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216739/; classtype:trojan-activity;sid:81079839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216738/; classtype:trojan-activity;sid:81079838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.64.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216737/; classtype:trojan-activity;sid:81079837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mpsl"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216736/; classtype:trojan-activity;sid:81079836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216735/; classtype:trojan-activity;sid:81079835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mips"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216733/; classtype:trojan-activity;sid:81079833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216734/; classtype:trojan-activity;sid:81079834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.i586"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216732/; classtype:trojan-activity;sid:81079832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"193.124.188.118"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216731/; classtype:trojan-activity;sid:81079831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/proof%20of%20payment%2019.09.2018.doc"; http_uri; depth:38; isdataat:!1,relative; content:"www.mky.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216730/; classtype:trojan-activity;sid:81079830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a2nw543hfgkj_signed.exe"; http_uri; depth:24; isdataat:!1,relative; content:"hjkg456hfg.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216729/; classtype:trojan-activity;sid:81079829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/loki/temp/css/html/me.exe"; http_uri; depth:26; isdataat:!1,relative; content:"zeetechbusiness.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216728/; classtype:trojan-activity;sid:81079828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9mips"; http_uri; depth:8; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216727/; classtype:trojan-activity;sid:81079827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9cco"; http_uri; depth:7; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216726/; classtype:trojan-activity;sid:81079826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9dss"; http_uri; depth:7; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216725/; classtype:trojan-activity;sid:81079825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9adc"; http_uri; depth:7; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216724/; classtype:trojan-activity;sid:81079824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9m68k"; http_uri; depth:8; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216723/; classtype:trojan-activity;sid:81079823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9i586"; http_uri; depth:8; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216722/; classtype:trojan-activity;sid:81079822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9ppc"; http_uri; depth:7; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216721/; classtype:trojan-activity;sid:81079821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9i686"; http_uri; depth:8; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216720/; classtype:trojan-activity;sid:81079820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9arm6"; http_uri; depth:8; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216719/; classtype:trojan-activity;sid:81079819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9x86"; http_uri; depth:7; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216718/; classtype:trojan-activity;sid:81079818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9sh4"; http_uri; depth:7; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216717/; classtype:trojan-activity;sid:81079817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9mpsl"; http_uri; depth:8; isdataat:!1,relative; content:"96.8.112.14"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216716/; classtype:trojan-activity;sid:81079816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vmksyv"; http_uri; depth:7; isdataat:!1,relative; content:"erpetro.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_13; reference:url, urlhaus.abuse.ch/url/216714/; classtype:trojan-activity;sid:81079814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hxbu/sw1.exe"; http_uri; depth:13; isdataat:!1,relative; content:"34.68.116.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216712/; classtype:trojan-activity;sid:81079812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mf.exe"; http_uri; depth:7; isdataat:!1,relative; content:"chrome.theworkpc.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216711/; classtype:trojan-activity;sid:81079811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wadeng.png"; http_uri; depth:11; isdataat:!1,relative; content:"139.60.163.51"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216710/; classtype:trojan-activity;sid:81079810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/trablon.png"; http_uri; depth:12; isdataat:!1,relative; content:"139.60.163.51"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216709/; classtype:trojan-activity;sid:81079809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/samagden.png"; http_uri; depth:13; isdataat:!1,relative; content:"139.60.163.51"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216707/; classtype:trojan-activity;sid:81079807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/googleinvesigations_89de113109aa.php"; http_uri; depth:37; isdataat:!1,relative; content:"alphatronic.com.my"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216706/; classtype:trojan-activity;sid:81079806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/taxreminder.php"; http_uri; depth:16; isdataat:!1,relative; content:"bizcraftindia.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216705/; classtype:trojan-activity;sid:81079805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/audipromo.php"; http_uri; depth:14; isdataat:!1,relative; content:"alemanautos.cl"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216704/; classtype:trojan-activity;sid:81079804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fb_counteradc28675ba.php"; http_uri; depth:25; isdataat:!1,relative; content:"aminvali.ca"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216703/; classtype:trojan-activity;sid:81079803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/oracle_test.php"; http_uri; depth:16; isdataat:!1,relative; content:"alkalbany.net"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216701/; classtype:trojan-activity;sid:81079801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/input454.exe"; http_uri; depth:13; isdataat:!1,relative; content:"spinagruop.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216700/; classtype:trojan-activity;sid:81079800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/uberstore-wp/inc/democontent/1c.jpg"; http_uri; depth:54; isdataat:!1,relative; content:"sixfingers.de"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216698/; classtype:trojan-activity;sid:81079798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/winidsi34dfg_signed.exe"; http_uri; depth:24; isdataat:!1,relative; content:"fdghdf344.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216697/; classtype:trojan-activity;sid:81079797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/download/document.zip"; http_uri; depth:22; isdataat:!1,relative; content:"documentationup.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216696/; classtype:trojan-activity;sid:81079796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/g9p4sp"; http_uri; depth:7; isdataat:!1,relative; content:"softre.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216695/; classtype:trojan-activity;sid:81079795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/webroot/date/ink.exe"; http_uri; depth:25; isdataat:!1,relative; content:"aliiff.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216694/; classtype:trojan-activity;sid:81079794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fonts/chrome.bin"; http_uri; depth:17; isdataat:!1,relative; content:"888fx.pro"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216693/; classtype:trojan-activity;sid:81079793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/w/scan_609577"; http_uri; depth:14; isdataat:!1,relative; content:"5.56.133.137"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216692/; classtype:trojan-activity;sid:81079792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/w/scan_609577.hta"; http_uri; depth:18; isdataat:!1,relative; content:"5.56.133.137"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216691/; classtype:trojan-activity;sid:81079791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/winboxscan-0702.exe"; http_uri; depth:24; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216690/; classtype:trojan-activity;sid:81079790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/luc/ppc.exe"; http_uri; depth:12; isdataat:!1,relative; content:"airconlogistic.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216689/; classtype:trojan-activity;sid:81079789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/winboxls-0225-2.exe"; http_uri; depth:24; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216688/; classtype:trojan-activity;sid:81079788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/winboxls-0711.exe"; http_uri; depth:22; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216687/; classtype:trojan-activity;sid:81079787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/_document2.exe"; http_uri; depth:15; isdataat:!1,relative; content:"spinagruop.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216686/; classtype:trojan-activity;sid:81079786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/toolz/payment.exe"; http_uri; depth:18; isdataat:!1,relative; content:"xyzeeeee.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216685/; classtype:trojan-activity;sid:81079785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/updateprofile-0321.exe"; http_uri; depth:27; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216684/; classtype:trojan-activity;sid:81079784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/vc.exe"; http_uri; depth:11; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216683/; classtype:trojan-activity;sid:81079783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm"; http_uri; depth:16; isdataat:!1,relative; content:"188.166.17.23"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216682/; classtype:trojan-activity;sid:81079782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.x86"; http_uri; depth:16; isdataat:!1,relative; content:"188.166.17.23"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216681/; classtype:trojan-activity;sid:81079781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"188.166.17.23"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216680/; classtype:trojan-activity;sid:81079780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"188.166.17.23"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216679/; classtype:trojan-activity;sid:81079779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/updateprofile-srv1-0520.exe"; http_uri; depth:32; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216678/; classtype:trojan-activity;sid:81079778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/e7.exe"; http_uri; depth:11; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216677/; classtype:trojan-activity;sid:81079777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"188.166.17.23"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216675/; classtype:trojan-activity;sid:81079775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mips"; http_uri; depth:17; isdataat:!1,relative; content:"188.166.17.23"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216676/; classtype:trojan-activity;sid:81079776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windis3245dfg_signed.exe"; http_uri; depth:25; isdataat:!1,relative; content:"fdfsdfsffsgagdfdgdfgdfgdf.ru"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216674/; classtype:trojan-activity;sid:81079774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"188.166.17.23"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216673/; classtype:trojan-activity;sid:81079773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/watchdog.exe"; http_uri; depth:17; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216672/; classtype:trojan-activity;sid:81079772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tld.mips"; http_uri; depth:14; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216669/; classtype:trojan-activity;sid:81079769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tld.mpsl"; http_uri; depth:14; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216670/; classtype:trojan-activity;sid:81079770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tld.x86"; http_uri; depth:13; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216671/; classtype:trojan-activity;sid:81079771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tld.arm6"; http_uri; depth:14; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216667/; classtype:trojan-activity;sid:81079767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tld.arm7"; http_uri; depth:14; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216668/; classtype:trojan-activity;sid:81079768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tld.arm"; http_uri; depth:13; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216665/; classtype:trojan-activity;sid:81079765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tld.arm5"; http_uri; depth:14; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216666/; classtype:trojan-activity;sid:81079766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/adb.arm7"; http_uri; depth:14; isdataat:!1,relative; content:"87.120.37.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216664/; classtype:trojan-activity;sid:81079764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/temp/embixer.msi"; http_uri; depth:17; isdataat:!1,relative; content:"segoundonfoume.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216663/; classtype:trojan-activity;sid:81079763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/app/app.exe"; http_uri; depth:12; isdataat:!1,relative; content:"proactor.xyz"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216662/; classtype:trojan-activity;sid:81079762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cd/0/get/akhjhgagnzqfw0tziux5dd_gqz5hg-s9vnncsbckqul5uc61lw4hspizdhag8y0cqqjuv55jundxvxeecywwy_43pxgp6evg1tsimbizvb_nmq/filedl=1"; http_uri; depth:129; isdataat:!1,relative; content:"uc9c0dca643420019efccd942010.dl.dropboxusercontent.com"; http_host; depth:54; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216661/; classtype:trojan-activity;sid:81079761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mki/kino.exe"; http_uri; depth:13; isdataat:!1,relative; content:"airconlogistic.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216660/; classtype:trojan-activity;sid:81079760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/dago/inks1/cotization.doc"; http_uri; depth:35; isdataat:!1,relative; content:"pallomahotelkuta.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216659/; classtype:trojan-activity;sid:81079759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/dago/inks/iinks.exe"; http_uri; depth:29; isdataat:!1,relative; content:"pallomahotelkuta.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216658/; classtype:trojan-activity;sid:81079758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jihuogj/xiaomajihuo_oem7f7(special).exe"; http_uri; depth:40; isdataat:!1,relative; content:"218.92.218.40"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216657/; classtype:trojan-activity;sid:81079757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jihuogj/heu_kms_activator_v11.2.0.exe"; http_uri; depth:38; isdataat:!1,relative; content:"218.92.218.40"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216656/; classtype:trojan-activity;sid:81079756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windis3245dfg_signed.exe"; http_uri; depth:25; isdataat:!1,relative; content:"hjkg456hfg.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216655/; classtype:trojan-activity;sid:81079755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a2nwrfr56jhsdf54_signed.exe"; http_uri; depth:28; isdataat:!1,relative; content:"hjkg456hfg.ru"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216654/; classtype:trojan-activity;sid:81079754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/os/osi.exe"; http_uri; depth:11; isdataat:!1,relative; content:"perca.ir"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216653/; classtype:trojan-activity;sid:81079753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yho9"; http_uri; depth:5; isdataat:!1,relative; content:"43.254.217.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216652/; classtype:trojan-activity;sid:81079752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pps.ps1"; http_uri; depth:8; isdataat:!1,relative; content:"dgkhj.ru"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216651/; classtype:trojan-activity;sid:81079751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"167.71.181.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216650/; classtype:trojan-activity;sid:81079750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"167.71.181.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216649/; classtype:trojan-activity;sid:81079749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"167.71.181.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216648/; classtype:trojan-activity;sid:81079748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"167.71.181.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216647/; classtype:trojan-activity;sid:81079747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"167.71.181.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216645/; classtype:trojan-activity;sid:81079745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"167.71.181.88"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216646/; classtype:trojan-activity;sid:81079746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/updatear=bg834468474brrastreamentoobjetos%2fsistemas.html"; http_uri; depth:58; isdataat:!1,relative; content:"www.objetosrastreamento.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216644/; classtype:trojan-activity;sid:81079744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nnmmm.exe"; http_uri; depth:10; isdataat:!1,relative; content:"spinagruop.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216643/; classtype:trojan-activity;sid:81079743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216642/; classtype:trojan-activity;sid:81079742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216639/; classtype:trojan-activity;sid:81079739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216641/; classtype:trojan-activity;sid:81079741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.spc"; http_uri; depth:16; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216640/; classtype:trojan-activity;sid:81079740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216637/; classtype:trojan-activity;sid:81079737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mips"; http_uri; depth:17; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216638/; classtype:trojan-activity;sid:81079738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216635/; classtype:trojan-activity;sid:81079735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216636/; classtype:trojan-activity;sid:81079736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm"; http_uri; depth:16; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216633/; classtype:trojan-activity;sid:81079733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216634/; classtype:trojan-activity;sid:81079734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.x86"; http_uri; depth:16; isdataat:!1,relative; content:"46.166.185.161"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216632/; classtype:trojan-activity;sid:81079732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8arm58"; http_uri; depth:7; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216630/; classtype:trojan-activity;sid:81079730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8arm78"; http_uri; depth:7; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216631/; classtype:trojan-activity;sid:81079731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8arm48"; http_uri; depth:7; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216629/; classtype:trojan-activity;sid:81079729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8spc8"; http_uri; depth:6; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216628/; classtype:trojan-activity;sid:81079728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8m68k8"; http_uri; depth:7; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216627/; classtype:trojan-activity;sid:81079727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8ppc8"; http_uri; depth:6; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216626/; classtype:trojan-activity;sid:81079726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8i68"; http_uri; depth:5; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216625/; classtype:trojan-activity;sid:81079725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8arm68"; http_uri; depth:7; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216624/; classtype:trojan-activity;sid:81079724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8x868"; http_uri; depth:6; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216623/; classtype:trojan-activity;sid:81079723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8sh48"; http_uri; depth:6; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216622/; classtype:trojan-activity;sid:81079722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8mpsl8"; http_uri; depth:7; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216621/; classtype:trojan-activity;sid:81079721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8mips8"; http_uri; depth:7; isdataat:!1,relative; content:"23.254.138.248"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216620/; classtype:trojan-activity;sid:81079720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/loki/temp/css/html/crypted.exe"; http_uri; depth:31; isdataat:!1,relative; content:"zeetechbusiness.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216619/; classtype:trojan-activity;sid:81079719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/x86.nigger"; http_uri; depth:16; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216618/; classtype:trojan-activity;sid:81079718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/sh4.nigger"; http_uri; depth:16; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216616/; classtype:trojan-activity;sid:81079716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/spc.nigger"; http_uri; depth:16; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216617/; classtype:trojan-activity;sid:81079717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/mpsl.nigger"; http_uri; depth:17; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216614/; classtype:trojan-activity;sid:81079714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ppc.nigger"; http_uri; depth:16; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216615/; classtype:trojan-activity;sid:81079715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/m68k.nigger"; http_uri; depth:17; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216612/; classtype:trojan-activity;sid:81079712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/mips.nigger"; http_uri; depth:17; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216613/; classtype:trojan-activity;sid:81079713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm6.nigger"; http_uri; depth:17; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216610/; classtype:trojan-activity;sid:81079710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm7.nigger"; http_uri; depth:17; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216611/; classtype:trojan-activity;sid:81079711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm.nigger"; http_uri; depth:16; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216608/; classtype:trojan-activity;sid:81079708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm5.nigger"; http_uri; depth:17; isdataat:!1,relative; content:"x.autistichorse.club"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216609/; classtype:trojan-activity;sid:81079709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sure.fdg"; http_uri; depth:9; isdataat:!1,relative; content:"canadabestonline.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216607/; classtype:trojan-activity;sid:81079707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv5l"; http_uri; depth:19; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216606/; classtype:trojan-activity;sid:81079706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.x86"; http_uri; depth:16; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216605/; classtype:trojan-activity;sid:81079705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv7l"; http_uri; depth:19; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216604/; classtype:trojan-activity;sid:81079704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.i586"; http_uri; depth:17; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216603/; classtype:trojan-activity;sid:81079703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.i686"; http_uri; depth:17; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216601/; classtype:trojan-activity;sid:81079701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.mipsel"; http_uri; depth:19; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216602/; classtype:trojan-activity;sid:81079702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.powerpc"; http_uri; depth:20; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216599/; classtype:trojan-activity;sid:81079699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216600/; classtype:trojan-activity;sid:81079700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.sparc"; http_uri; depth:18; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216598/; classtype:trojan-activity;sid:81079698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216597/; classtype:trojan-activity;sid:81079697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv6l"; http_uri; depth:19; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216596/; classtype:trojan-activity;sid:81079696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.mips"; http_uri; depth:17; isdataat:!1,relative; content:"54.37.44.67"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216595/; classtype:trojan-activity;sid:81079695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mrp/dp.exe"; http_uri; depth:11; isdataat:!1,relative; content:"perca.ir"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216594/; classtype:trojan-activity;sid:81079694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"194.61.1.86"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_12; reference:url, urlhaus.abuse.ch/url/216593/; classtype:trojan-activity;sid:81079693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/apikey/webdirect.phplink=3x6qy7"; http_uri; depth:51; isdataat:!1,relative; content:"hawk-lines.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216591/; classtype:trojan-activity;sid:81079691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/read/dwm.exe"; http_uri; depth:13; isdataat:!1,relative; content:"secureintpayneft.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216590/; classtype:trojan-activity;sid:81079690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/read/investment_proposal.doc"; http_uri; depth:29; isdataat:!1,relative; content:"bancosnal.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216588/; classtype:trojan-activity;sid:81079688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/000102/invoice.doc"; http_uri; depth:19; isdataat:!1,relative; content:"compute-1.azurewebsites.net"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216587/; classtype:trojan-activity;sid:81079687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vcvgfc"; http_uri; depth:7; isdataat:!1,relative; content:"derylresearch.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216586/; classtype:trojan-activity;sid:81079686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ori2c.exe"; http_uri; depth:10; isdataat:!1,relative; content:"bowmanvillefoundry.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216585/; classtype:trojan-activity;sid:81079685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cp/sl_e_062701.exe"; http_uri; depth:19; isdataat:!1,relative; content:"data.yx1999.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216584/; classtype:trojan-activity;sid:81079684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cp/sl_e_0617.exe"; http_uri; depth:17; isdataat:!1,relative; content:"data.yx1999.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216583/; classtype:trojan-activity;sid:81079683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ppks.exe"; http_uri; depth:9; isdataat:!1,relative; content:"185.159.82.62"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216582/; classtype:trojan-activity;sid:81079682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/_output875814f.exe"; http_uri; depth:19; isdataat:!1,relative; content:"overthebarr.club"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216581/; classtype:trojan-activity;sid:81079681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/deeppip/out_prss.exe"; http_uri; depth:21; isdataat:!1,relative; content:"176.119.1.74"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216580/; classtype:trojan-activity;sid:81079680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/byls/100.exe"; http_uri; depth:13; isdataat:!1,relative; content:"34.68.116.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216579/; classtype:trojan-activity;sid:81079679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/purple.exe"; http_uri; depth:11; isdataat:!1,relative; content:"daddyhandsome123.5gbfree.com"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216578/; classtype:trojan-activity;sid:81079678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ppplayerv.exe"; http_uri; depth:14; isdataat:!1,relative; content:"www.ngnbinfo.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216577/; classtype:trojan-activity;sid:81079677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.82.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216575/; classtype:trojan-activity;sid:81079675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/salient/img/icons/social/1c.jpg"; http_uri; depth:50; isdataat:!1,relative; content:"m-media.nl"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216576/; classtype:trojan-activity;sid:81079676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm"; http_uri; depth:14; isdataat:!1,relative; content:"134.209.82.12"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216574/; classtype:trojan-activity;sid:81079674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.x86"; http_uri; depth:16; isdataat:!1,relative; content:"159.65.234.16"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216573/; classtype:trojan-activity;sid:81079673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/byls/2.exe"; http_uri; depth:11; isdataat:!1,relative; content:"34.68.116.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216572/; classtype:trojan-activity;sid:81079672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cjoj/cjj.exe"; http_uri; depth:13; isdataat:!1,relative; content:"spm-tnr.co.id"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216570/; classtype:trojan-activity;sid:81079670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ppplayerv.exe"; http_uri; depth:14; isdataat:!1,relative; content:"ngnbinfo.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216569/; classtype:trojan-activity;sid:81079669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tin.exe"; http_uri; depth:8; isdataat:!1,relative; content:"37.44.212.193"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216568/; classtype:trojan-activity;sid:81079668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tin86cdx.exe"; http_uri; depth:13; isdataat:!1,relative; content:"37.44.212.193"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216567/; classtype:trojan-activity;sid:81079667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xogoerlooopertx/zxops.exe"; http_uri; depth:26; isdataat:!1,relative; content:"ponestona.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216566/; classtype:trojan-activity;sid:81079666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"216.170.119.6"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216565/; classtype:trojan-activity;sid:81079665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmon/ytsetupus.exe"; http_uri; depth:19; isdataat:!1,relative; content:"coinspottechrem.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216564/; classtype:trojan-activity;sid:81079664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/protostar/js/1c.jpg"; http_uri; depth:30; isdataat:!1,relative; content:"pippel.nl"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216563/; classtype:trojan-activity;sid:81079663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.well-known/acme-challenge/1c.jpg"; http_uri; depth:34; isdataat:!1,relative; content:"ranime.org"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216562/; classtype:trojan-activity;sid:81079662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/templates/it_theshop2/html/com_content/article/1c.jpg"; http_uri; depth:54; isdataat:!1,relative; content:"informatique63.fr"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216561/; classtype:trojan-activity;sid:81079661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmon/pr2setupus.exe"; http_uri; depth:20; isdataat:!1,relative; content:"coinspottechrem.net"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216560/; classtype:trojan-activity;sid:81079660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/developer/languages/1c.jpg"; http_uri; depth:45; isdataat:!1,relative; content:"legato.gda.pl"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216559/; classtype:trojan-activity;sid:81079659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/newlife.exe"; http_uri; depth:12; isdataat:!1,relative; content:"185.29.11.113"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216558/; classtype:trojan-activity;sid:81079658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wkalk.exe"; http_uri; depth:10; isdataat:!1,relative; content:"wkalk.inf.ua"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216557/; classtype:trojan-activity;sid:81079657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bulkfont.bin"; http_uri; depth:13; isdataat:!1,relative; content:"89.22.103.139"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216556/; classtype:trojan-activity;sid:81079656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dj.exe"; http_uri; depth:7; isdataat:!1,relative; content:"light.gseveryitoverforbadin.uk"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216555/; classtype:trojan-activity;sid:81079655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/shipping_label.jar"; http_uri; depth:19; isdataat:!1,relative; content:"104.168.147.151"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216553/; classtype:trojan-activity;sid:81079653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216551/; classtype:trojan-activity;sid:81079651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.mips"; http_uri; depth:17; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216552/; classtype:trojan-activity;sid:81079652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm"; http_uri; depth:16; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216550/; classtype:trojan-activity;sid:81079650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216549/; classtype:trojan-activity;sid:81079649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216548/; classtype:trojan-activity;sid:81079648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216547/; classtype:trojan-activity;sid:81079647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/web/uploads/20190618/cb05f3de501e3ada9d5d0cfa8e10f7be.exe"; http_uri; depth:58; isdataat:!1,relative; content:"res.uf1.cn"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216546/; classtype:trojan-activity;sid:81079646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216545/; classtype:trojan-activity;sid:81079645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216544/; classtype:trojan-activity;sid:81079644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/dir/updating.doc"; http_uri; depth:52; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216543/; classtype:trojan-activity;sid:81079643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/dew.msi"; http_uri; depth:47; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216542/; classtype:trojan-activity;sid:81079642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razor/r4z0r.x86"; http_uri; depth:16; isdataat:!1,relative; content:"174.138.36.230"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216540/; classtype:trojan-activity;sid:81079640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/salient/includes/custom-widgets/1c.jpg"; http_uri; depth:57; isdataat:!1,relative; content:"m-media.nl"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216539/; classtype:trojan-activity;sid:81079639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unix/virus.zip"; http_uri; depth:15; isdataat:!1,relative; content:"val.bmstu.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216538/; classtype:trojan-activity;sid:81079638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/set.exe"; http_uri; depth:8; isdataat:!1,relative; content:"setseta.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216537/; classtype:trojan-activity;sid:81079637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/taskis.exe"; http_uri; depth:11; isdataat:!1,relative; content:"setseta.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216536/; classtype:trojan-activity;sid:81079636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fast.exe"; http_uri; depth:9; isdataat:!1,relative; content:"miningeth.site"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216535/; classtype:trojan-activity;sid:81079635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/chrome.hta"; http_uri; depth:11; isdataat:!1,relative; content:"amanihackz.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216534/; classtype:trojan-activity;sid:81079634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/checkupd.exe"; http_uri; depth:13; isdataat:!1,relative; content:"gcleaner.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216533/; classtype:trojan-activity;sid:81079633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/newrai.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"94.156.77.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216532/; classtype:trojan-activity;sid:81079632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.arm6"; http_uri; depth:16; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216530/; classtype:trojan-activity;sid:81079630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xxxfrxx88/index.html"; http_uri; depth:21; isdataat:!1,relative; content:"d17la500vzsvps.cloudfront.net"; http_host; depth:29; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216528/; classtype:trojan-activity;sid:81079628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/loader/bin.exe"; http_uri; depth:15; isdataat:!1,relative; content:"193.56.28.245"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216527/; classtype:trojan-activity;sid:81079627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/newrai.arm"; http_uri; depth:16; isdataat:!1,relative; content:"80.82.70.43"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216526/; classtype:trojan-activity;sid:81079626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/newrai.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"80.82.70.43"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216525/; classtype:trojan-activity;sid:81079625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"35.193.153.143"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216524/; classtype:trojan-activity;sid:81079624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/r34dis234dfs_signed.exe"; http_uri; depth:24; isdataat:!1,relative; content:"fdghdf344.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216523/; classtype:trojan-activity;sid:81079623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ffqi/tt_signed.exe"; http_uri; depth:19; isdataat:!1,relative; content:"34.68.116.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216522/; classtype:trojan-activity;sid:81079622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ffqi/tt2_signed.exe"; http_uri; depth:20; isdataat:!1,relative; content:"34.68.116.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216521/; classtype:trojan-activity;sid:81079621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ffqi/cry_signed.exe"; http_uri; depth:20; isdataat:!1,relative; content:"34.68.116.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216520/; classtype:trojan-activity;sid:81079620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hlnlcj.jpg"; http_uri; depth:11; isdataat:!1,relative; content:"comfy.moe"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216519/; classtype:trojan-activity;sid:81079619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ffqi/inv_signed.exe"; http_uri; depth:20; isdataat:!1,relative; content:"34.68.116.148"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216518/; classtype:trojan-activity;sid:81079618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/obs/fgff.exe"; http_uri; depth:13; isdataat:!1,relative; content:"spm-tnr.co.id"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216517/; classtype:trojan-activity;sid:81079617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vk.com.exe"; http_uri; depth:11; isdataat:!1,relative; content:"scoss.xyz"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216516/; classtype:trojan-activity;sid:81079616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bin_output2cdb700.exe"; http_uri; depth:22; isdataat:!1,relative; content:"babusrtop.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216515/; classtype:trojan-activity;sid:81079615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pie"; http_uri; depth:4; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216514/; classtype:trojan-activity;sid:81079614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/axe"; http_uri; depth:4; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216513/; classtype:trojan-activity;sid:81079613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/popper"; http_uri; depth:7; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216512/; classtype:trojan-activity;sid:81079612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.186.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216511/; classtype:trojan-activity;sid:81079611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tuan"; http_uri; depth:5; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216510/; classtype:trojan-activity;sid:81079610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/water"; http_uri; depth:6; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216509/; classtype:trojan-activity;sid:81079609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"68.183.186.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216508/; classtype:trojan-activity;sid:81079608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/grape"; http_uri; depth:6; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216507/; classtype:trojan-activity;sid:81079607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/berry"; http_uri; depth:6; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216506/; classtype:trojan-activity;sid:81079606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/roose"; http_uri; depth:6; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216505/; classtype:trojan-activity;sid:81079605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"68.183.186.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216504/; classtype:trojan-activity;sid:81079604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.186.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216503/; classtype:trojan-activity;sid:81079603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.186.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216502/; classtype:trojan-activity;sid:81079602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/syn"; http_uri; depth:4; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216501/; classtype:trojan-activity;sid:81079601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cax"; http_uri; depth:4; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216500/; classtype:trojan-activity;sid:81079600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ricky"; http_uri; depth:6; isdataat:!1,relative; content:"209.141.47.67"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216499/; classtype:trojan-activity;sid:81079599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"68.183.186.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216498/; classtype:trojan-activity;sid:81079598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"68.183.186.115"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216497/; classtype:trojan-activity;sid:81079597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216495/; classtype:trojan-activity;sid:81079595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216496/; classtype:trojan-activity;sid:81079596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216494/; classtype:trojan-activity;sid:81079594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216493/; classtype:trojan-activity;sid:81079593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216491/; classtype:trojan-activity;sid:81079591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216492/; classtype:trojan-activity;sid:81079592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216490/; classtype:trojan-activity;sid:81079590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216489/; classtype:trojan-activity;sid:81079589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216487/; classtype:trojan-activity;sid:81079587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216488/; classtype:trojan-activity;sid:81079588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216486/; classtype:trojan-activity;sid:81079586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216485/; classtype:trojan-activity;sid:81079585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216484/; classtype:trojan-activity;sid:81079584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fedex.doc"; http_uri; depth:10; isdataat:!1,relative; content:"www.fedexdocs.icu"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216483/; classtype:trojan-activity;sid:81079583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216482/; classtype:trojan-activity;sid:81079582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216481/; classtype:trojan-activity;sid:81079581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216480/; classtype:trojan-activity;sid:81079580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216479/; classtype:trojan-activity;sid:81079579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216478/; classtype:trojan-activity;sid:81079578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216477/; classtype:trojan-activity;sid:81079577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216476/; classtype:trojan-activity;sid:81079576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.mips"; http_uri; depth:17; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216475/; classtype:trojan-activity;sid:81079575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216474/; classtype:trojan-activity;sid:81079574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216473/; classtype:trojan-activity;sid:81079573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216472/; classtype:trojan-activity;sid:81079572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216471/; classtype:trojan-activity;sid:81079571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216470/; classtype:trojan-activity;sid:81079570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216469/; classtype:trojan-activity;sid:81079569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216468/; classtype:trojan-activity;sid:81079568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216467/; classtype:trojan-activity;sid:81079567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.x86"; http_uri; depth:16; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216465/; classtype:trojan-activity;sid:81079565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216466/; classtype:trojan-activity;sid:81079566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.mpsl"; http_uri; depth:17; isdataat:!1,relative; content:"139.59.81.226"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216464/; classtype:trojan-activity;sid:81079564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216463/; classtype:trojan-activity;sid:81079563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"165.22.31.143"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216462/; classtype:trojan-activity;sid:81079562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"178.128.81.105"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216461/; classtype:trojan-activity;sid:81079561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.mpsl"; http_uri; depth:23; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216459/; classtype:trojan-activity;sid:81079559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.spc"; http_uri; depth:22; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216460/; classtype:trojan-activity;sid:81079560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216458/; classtype:trojan-activity;sid:81079558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216455/; classtype:trojan-activity;sid:81079555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216456/; classtype:trojan-activity;sid:81079556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.spc"; http_uri; depth:10; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216457/; classtype:trojan-activity;sid:81079557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216452/; classtype:trojan-activity;sid:81079552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.mips"; http_uri; depth:11; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216453/; classtype:trojan-activity;sid:81079553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216454/; classtype:trojan-activity;sid:81079554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216450/; classtype:trojan-activity;sid:81079550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216451/; classtype:trojan-activity;sid:81079551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.arm"; http_uri; depth:10; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216449/; classtype:trojan-activity;sid:81079549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.x86"; http_uri; depth:10; isdataat:!1,relative; content:"46.101.177.73"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216448/; classtype:trojan-activity;sid:81079548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.sh4"; http_uri; depth:9; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216446/; classtype:trojan-activity;sid:81079546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.x86"; http_uri; depth:9; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216447/; classtype:trojan-activity;sid:81079547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.spc"; http_uri; depth:9; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216445/; classtype:trojan-activity;sid:81079545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.mpsl"; http_uri; depth:10; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216443/; classtype:trojan-activity;sid:81079543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.ppc"; http_uri; depth:9; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216444/; classtype:trojan-activity;sid:81079544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.mips64"; http_uri; depth:12; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216442/; classtype:trojan-activity;sid:81079542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.mips"; http_uri; depth:10; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216441/; classtype:trojan-activity;sid:81079541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.m68"; http_uri; depth:9; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216440/; classtype:trojan-activity;sid:81079540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.x86"; http_uri; depth:14; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216438/; classtype:trojan-activity;sid:81079538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.i686"; http_uri; depth:10; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216439/; classtype:trojan-activity;sid:81079539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216436/; classtype:trojan-activity;sid:81079536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.spc"; http_uri; depth:14; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216437/; classtype:trojan-activity;sid:81079537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216434/; classtype:trojan-activity;sid:81079534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216435/; classtype:trojan-activity;sid:81079535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.mips"; http_uri; depth:15; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216432/; classtype:trojan-activity;sid:81079532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.mips64"; http_uri; depth:17; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216433/; classtype:trojan-activity;sid:81079533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.arm8"; http_uri; depth:15; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216430/; classtype:trojan-activity;sid:81079530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216431/; classtype:trojan-activity;sid:81079531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216428/; classtype:trojan-activity;sid:81079528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.arm6tl"; http_uri; depth:17; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216429/; classtype:trojan-activity;sid:81079529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.arm4tl"; http_uri; depth:17; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216426/; classtype:trojan-activity;sid:81079526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.arm5n"; http_uri; depth:16; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216427/; classtype:trojan-activity;sid:81079527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/all/ntpdd.arm"; http_uri; depth:14; isdataat:!1,relative; content:"35.246.234.121"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216425/; classtype:trojan-activity;sid:81079525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.ppc"; http_uri; depth:29; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216423/; classtype:trojan-activity;sid:81079523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.x86"; http_uri; depth:29; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216424/; classtype:trojan-activity;sid:81079524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.sh4"; http_uri; depth:29; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216421/; classtype:trojan-activity;sid:81079521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.spc"; http_uri; depth:29; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216422/; classtype:trojan-activity;sid:81079522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.m68k"; http_uri; depth:30; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216420/; classtype:trojan-activity;sid:81079520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.mpsl"; http_uri; depth:30; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216419/; classtype:trojan-activity;sid:81079519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.arm7"; http_uri; depth:30; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216417/; classtype:trojan-activity;sid:81079517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.mips"; http_uri; depth:30; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216418/; classtype:trojan-activity;sid:81079518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.arm"; http_uri; depth:29; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216414/; classtype:trojan-activity;sid:81079514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.arm5"; http_uri; depth:30; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216415/; classtype:trojan-activity;sid:81079515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/unstable_is_net_g0d/h4z3.arm6"; http_uri; depth:30; isdataat:!1,relative; content:"188.166.93.193"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216416/; classtype:trojan-activity;sid:81079516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/site/wp-admin/chrome.bin"; http_uri; depth:25; isdataat:!1,relative; content:"carmelavalles.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216413/; classtype:trojan-activity;sid:81079513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.arm7"; http_uri; depth:10; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216412/; classtype:trojan-activity;sid:81079512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.arm6"; http_uri; depth:10; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216411/; classtype:trojan-activity;sid:81079511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.arm4t"; http_uri; depth:11; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216409/; classtype:trojan-activity;sid:81079509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.arm5"; http_uri; depth:10; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216410/; classtype:trojan-activity;sid:81079510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bunz.arm4"; http_uri; depth:10; isdataat:!1,relative; content:"46.183.218.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216408/; classtype:trojan-activity;sid:81079508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.x86"; http_uri; depth:14; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216406/; classtype:trojan-activity;sid:81079506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.x86_64"; http_uri; depth:17; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216407/; classtype:trojan-activity;sid:81079507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216404/; classtype:trojan-activity;sid:81079504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216405/; classtype:trojan-activity;sid:81079505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.mips"; http_uri; depth:15; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216400/; classtype:trojan-activity;sid:81079500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216401/; classtype:trojan-activity;sid:81079501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.sparc"; http_uri; depth:16; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216403/; classtype:trojan-activity;sid:81079503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.spc"; http_uri; depth:14; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216402/; classtype:trojan-activity;sid:81079502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216399/; classtype:trojan-activity;sid:81079499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216396/; classtype:trojan-activity;sid:81079496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.i486"; http_uri; depth:15; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216398/; classtype:trojan-activity;sid:81079498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.i686"; http_uri; depth:15; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216397/; classtype:trojan-activity;sid:81079497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.arm"; http_uri; depth:14; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216393/; classtype:trojan-activity;sid:81079493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216394/; classtype:trojan-activity;sid:81079494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/33bi/ares.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"137.74.218.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216395/; classtype:trojan-activity;sid:81079495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/w/kkknng"; http_uri; depth:9; isdataat:!1,relative; content:"5.56.133.137"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216392/; classtype:trojan-activity;sid:81079492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/user-id-1003400-invoice.doc"; http_uri; depth:28; isdataat:!1,relative; content:"compute-1.azurewebsites.net"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216391/; classtype:trojan-activity;sid:81079491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.sh4"; http_uri; depth:10; isdataat:!1,relative; content:"104.168.151.135"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216390/; classtype:trojan-activity;sid:81079490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"104.168.151.135"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216389/; classtype:trojan-activity;sid:81079489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.spc"; http_uri; depth:10; isdataat:!1,relative; content:"104.168.151.135"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216388/; classtype:trojan-activity;sid:81079488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"104.168.151.135"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216387/; classtype:trojan-activity;sid:81079487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.mips"; http_uri; depth:11; isdataat:!1,relative; content:"104.168.151.135"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216386/; classtype:trojan-activity;sid:81079486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"104.168.151.135"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216385/; classtype:trojan-activity;sid:81079485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/miori.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"104.168.151.135"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216384/; classtype:trojan-activity;sid:81079484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.ppc"; http_uri; depth:15; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216383/; classtype:trojan-activity;sid:81079483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.spc"; http_uri; depth:15; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216382/; classtype:trojan-activity;sid:81079482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.sh4"; http_uri; depth:15; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216381/; classtype:trojan-activity;sid:81079481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.mpsl"; http_uri; depth:16; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216380/; classtype:trojan-activity;sid:81079480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.mips"; http_uri; depth:16; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216379/; classtype:trojan-activity;sid:81079479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.m68k"; http_uri; depth:16; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216378/; classtype:trojan-activity;sid:81079478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.arm7"; http_uri; depth:16; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216377/; classtype:trojan-activity;sid:81079477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.arm6"; http_uri; depth:16; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216376/; classtype:trojan-activity;sid:81079476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.arm5"; http_uri; depth:16; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216375/; classtype:trojan-activity;sid:81079475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.arm"; http_uri; depth:15; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216374/; classtype:trojan-activity;sid:81079474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.arm7"; http_uri; depth:16; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216373/; classtype:trojan-activity;sid:81079473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.m68k"; http_uri; depth:16; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216372/; classtype:trojan-activity;sid:81079472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.ppc"; http_uri; depth:15; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216371/; classtype:trojan-activity;sid:81079471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/newrai.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"94.156.77.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216370/; classtype:trojan-activity;sid:81079470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/newrai.mips"; http_uri; depth:17; isdataat:!1,relative; content:"94.156.77.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216369/; classtype:trojan-activity;sid:81079469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/newrai.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"94.156.77.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216368/; classtype:trojan-activity;sid:81079468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.arm"; http_uri; depth:15; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216367/; classtype:trojan-activity;sid:81079467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.arm5"; http_uri; depth:16; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216366/; classtype:trojan-activity;sid:81079466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.sh4"; http_uri; depth:15; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216365/; classtype:trojan-activity;sid:81079465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/newrai.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"94.156.77.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216364/; classtype:trojan-activity;sid:81079464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.mips"; http_uri; depth:16; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216362/; classtype:trojan-activity;sid:81079462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sdasd3f"; http_uri; depth:8; isdataat:!1,relative; content:"125.77.30.31"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216361/; classtype:trojan-activity;sid:81079461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hilix.x86"; http_uri; depth:15; isdataat:!1,relative; content:"209.141.34.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216360/; classtype:trojan-activity;sid:81079460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2linux64w"; http_uri; depth:10; isdataat:!1,relative; content:"125.77.30.31"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216359/; classtype:trojan-activity;sid:81079459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/newrai.arm"; http_uri; depth:16; isdataat:!1,relative; content:"94.156.77.167"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216357/; classtype:trojan-activity;sid:81079457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/web/uploads/20190618/26a84232904de9d74f5f5a31e47ba264.exe"; http_uri; depth:58; isdataat:!1,relative; content:"res.uf1.cn"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216356/; classtype:trojan-activity;sid:81079456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2019/07/webdirect.phplink=l94bhs"; http_uri; depth:52; isdataat:!1,relative; content:"inter.payap.ac.th"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216355/; classtype:trojan-activity;sid:81079455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216354/; classtype:trojan-activity;sid:81079454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216353/; classtype:trojan-activity;sid:81079453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"159.203.17.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216352/; classtype:trojan-activity;sid:81079452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216350/; classtype:trojan-activity;sid:81079450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216351/; classtype:trojan-activity;sid:81079451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mips"; http_uri; depth:17; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216349/; classtype:trojan-activity;sid:81079449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.m68k"; http_uri; depth:23; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216347/; classtype:trojan-activity;sid:81079447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.mips"; http_uri; depth:17; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216348/; classtype:trojan-activity;sid:81079448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.arm7"; http_uri; depth:23; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216345/; classtype:trojan-activity;sid:81079445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.ppc"; http_uri; depth:22; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216346/; classtype:trojan-activity;sid:81079446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216344/; classtype:trojan-activity;sid:81079444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216343/; classtype:trojan-activity;sid:81079443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216342/; classtype:trojan-activity;sid:81079442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216341/; classtype:trojan-activity;sid:81079441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216340/; classtype:trojan-activity;sid:81079440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm"; http_uri; depth:16; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216339/; classtype:trojan-activity;sid:81079439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm"; http_uri; depth:16; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216338/; classtype:trojan-activity;sid:81079438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"159.203.17.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216337/; classtype:trojan-activity;sid:81079437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216336/; classtype:trojan-activity;sid:81079436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216335/; classtype:trojan-activity;sid:81079435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.x86"; http_uri; depth:22; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216333/; classtype:trojan-activity;sid:81079433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216334/; classtype:trojan-activity;sid:81079434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.mips"; http_uri; depth:23; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216331/; classtype:trojan-activity;sid:81079431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.sh4"; http_uri; depth:22; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216332/; classtype:trojan-activity;sid:81079432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.arm5"; http_uri; depth:23; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216330/; classtype:trojan-activity;sid:81079430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wd/wed.exe"; http_uri; depth:11; isdataat:!1,relative; content:"epac-agent.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216328/; classtype:trojan-activity;sid:81079428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"218.52.230.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216327/; classtype:trojan-activity;sid:81079427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2linuxx64w"; http_uri; depth:11; isdataat:!1,relative; content:"125.77.30.31"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216326/; classtype:trojan-activity;sid:81079426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.arm6"; http_uri; depth:23; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216325/; classtype:trojan-activity;sid:81079425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.x86"; http_uri; depth:16; isdataat:!1,relative; content:"104.37.188.58"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216324/; classtype:trojan-activity;sid:81079424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.x86"; http_uri; depth:16; isdataat:!1,relative; content:"159.203.17.139"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216323/; classtype:trojan-activity;sid:81079423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zehir/z3hir.x86"; http_uri; depth:16; isdataat:!1,relative; content:"66.23.233.179"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216322/; classtype:trojan-activity;sid:81079422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/kowai.x86"; http_uri; depth:15; isdataat:!1,relative; content:"142.11.240.29"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216321/; classtype:trojan-activity;sid:81079421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ruthless1337.arm"; http_uri; depth:22; isdataat:!1,relative; content:"137.74.154.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216320/; classtype:trojan-activity;sid:81079420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/nnn.msi"; http_uri; depth:47; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216319/; classtype:trojan-activity;sid:81079419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/new.msi"; http_uri; depth:47; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216318/; classtype:trojan-activity;sid:81079418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/now.msi"; http_uri; depth:47; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216317/; classtype:trojan-activity;sid:81079417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/rev.msi"; http_uri; depth:47; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216316/; classtype:trojan-activity;sid:81079416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/stub.msi"; http_uri; depth:48; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216314/; classtype:trojan-activity;sid:81079414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/msword.doc"; http_uri; depth:50; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216313/; classtype:trojan-activity;sid:81079413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/gorwxf.msi"; http_uri; depth:50; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216311/; classtype:trojan-activity;sid:81079411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/revenge.msi"; http_uri; depth:51; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216310/; classtype:trojan-activity;sid:81079410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/rr.msi"; http_uri; depth:46; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216307/; classtype:trojan-activity;sid:81079407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/axxon.msi"; http_uri; depth:49; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216299/; classtype:trojan-activity;sid:81079399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/25.exe"; http_uri; depth:7; isdataat:!1,relative; content:"104.203.92.254"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216298/; classtype:trojan-activity;sid:81079398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xmrig"; http_uri; depth:6; isdataat:!1,relative; content:"104.203.92.254"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216297/; classtype:trojan-activity;sid:81079397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/25.hta"; http_uri; depth:7; isdataat:!1,relative; content:"104.203.92.254"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_11; reference:url, urlhaus.abuse.ch/url/216295/; classtype:trojan-activity;sid:81079395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/files1/invoice%20300495%20from%20epac%20transport.doc"; http_uri; depth:54; isdataat:!1,relative; content:"epac-agent.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216293/; classtype:trojan-activity;sid:81079393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.x86"; http_uri; depth:16; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216292/; classtype:trojan-activity;sid:81079392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.mips"; http_uri; depth:17; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216291/; classtype:trojan-activity;sid:81079391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216290/; classtype:trojan-activity;sid:81079390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv4l"; http_uri; depth:19; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216289/; classtype:trojan-activity;sid:81079389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv6l"; http_uri; depth:19; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216288/; classtype:trojan-activity;sid:81079388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.i686"; http_uri; depth:17; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216287/; classtype:trojan-activity;sid:81079387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.mipsel"; http_uri; depth:19; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216286/; classtype:trojan-activity;sid:81079386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv5l"; http_uri; depth:19; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216284/; classtype:trojan-activity;sid:81079384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.powerpc"; http_uri; depth:20; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216285/; classtype:trojan-activity;sid:81079385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.armv7l"; http_uri; depth:19; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216282/; classtype:trojan-activity;sid:81079382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.sparc"; http_uri; depth:18; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216283/; classtype:trojan-activity;sid:81079383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.i586"; http_uri; depth:17; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216281/; classtype:trojan-activity;sid:81079381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orbitclient.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"134.209.197.1"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216280/; classtype:trojan-activity;sid:81079380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ai.arm5"; http_uri; depth:8; isdataat:!1,relative; content:"185.244.25.242"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216279/; classtype:trojan-activity;sid:81079379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ai.x86"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.242"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216278/; classtype:trojan-activity;sid:81079378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ai.arm7"; http_uri; depth:8; isdataat:!1,relative; content:"185.244.25.242"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216277/; classtype:trojan-activity;sid:81079377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ai.arm4"; http_uri; depth:8; isdataat:!1,relative; content:"185.244.25.242"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216276/; classtype:trojan-activity;sid:81079376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ai.arm6"; http_uri; depth:8; isdataat:!1,relative; content:"185.244.25.242"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216275/; classtype:trojan-activity;sid:81079375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a2nwstd345dfg_signed.exe"; http_uri; depth:25; isdataat:!1,relative; content:"fdghdf344.ru"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216274/; classtype:trojan-activity;sid:81079374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fastaide_1155.exe"; http_uri; depth:18; isdataat:!1,relative; content:"down.ecepmotor.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216273/; classtype:trojan-activity;sid:81079373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/f/keygen.exe"; http_uri; depth:13; isdataat:!1,relative; content:"anonymousfiles.io"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216272/; classtype:trojan-activity;sid:81079372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/f/doc.exe"; http_uri; depth:10; isdataat:!1,relative; content:"anonymousfiles.io"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216270/; classtype:trojan-activity;sid:81079370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/f/text.exe"; http_uri; depth:11; isdataat:!1,relative; content:"anonymousfiles.io"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216269/; classtype:trojan-activity;sid:81079369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc.msi"; http_uri; depth:7; isdataat:!1,relative; content:"compute-1.azurewebsites.net"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216268/; classtype:trojan-activity;sid:81079368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc.doc"; http_uri; depth:7; isdataat:!1,relative; content:"compute-1.azurewebsites.net"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216267/; classtype:trojan-activity;sid:81079367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tt.jpg"; http_uri; depth:7; isdataat:!1,relative; content:"ec2-3-83-64-249.azurewebsites.net"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216266/; classtype:trojan-activity;sid:81079366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/asdf3234"; http_uri; depth:9; isdataat:!1,relative; content:"125.77.30.31"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216265/; classtype:trojan-activity;sid:81079365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/issopronto.jpg"; http_uri; depth:15; isdataat:!1,relative; content:"18.188.78.96"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216264/; classtype:trojan-activity;sid:81079364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/extrato_online_instalador.exe"; http_uri; depth:30; isdataat:!1,relative; content:"lojasvisao.com.br"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216263/; classtype:trojan-activity;sid:81079363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tross/gout.exe"; http_uri; depth:15; isdataat:!1,relative; content:"husscros.5gbfree.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216262/; classtype:trojan-activity;sid:81079362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windsi354hfg_signed.exe"; http_uri; depth:24; isdataat:!1,relative; content:"jdsflkjh.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216261/; classtype:trojan-activity;sid:81079361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a2nw235sdasddfg456_signed.exe"; http_uri; depth:30; isdataat:!1,relative; content:"jdsflkjh.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216260/; classtype:trojan-activity;sid:81079360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tfile.exe"; http_uri; depth:10; isdataat:!1,relative; content:"192.210.146.101"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216259/; classtype:trojan-activity;sid:81079359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/chance/changer.exe"; http_uri; depth:19; isdataat:!1,relative; content:"btik.web.id"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216257/; classtype:trojan-activity;sid:81079357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/novzya.msi"; http_uri; depth:50; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216256/; classtype:trojan-activity;sid:81079356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/upjnyh.msi"; http_uri; depth:50; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216255/; classtype:trojan-activity;sid:81079355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"120.55.76.1"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216254/; classtype:trojan-activity;sid:81079354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"120.55.76.1"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216253/; classtype:trojan-activity;sid:81079353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/js_composer/assets/js/lib/vc-pointers/vc-pointers-controller.exe"; http_uri; depth:84; isdataat:!1,relative; content:"angletsurf.org"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216252/; classtype:trojan-activity;sid:81079352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/azz35.jpg"; http_uri; depth:10; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216251/; classtype:trojan-activity;sid:81079351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/2.exe"; http_uri; depth:6; isdataat:!1,relative; content:"thaus.to"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216250/; classtype:trojan-activity;sid:81079350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"thaus.to"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216249/; classtype:trojan-activity;sid:81079349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/partiya/malashop.exe"; http_uri; depth:21; isdataat:!1,relative; content:"productinerserveceamer.ru"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216248/; classtype:trojan-activity;sid:81079348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/skype/build.exe"; http_uri; depth:16; isdataat:!1,relative; content:"doosian.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216247/; classtype:trojan-activity;sid:81079347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/skype/build2.doc"; http_uri; depth:17; isdataat:!1,relative; content:"doosian.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216246/; classtype:trojan-activity;sid:81079346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"160.19.49.99"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216245/; classtype:trojan-activity;sid:81079345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/requests/cookie/purchase%20order.iso"; http_uri; depth:49; isdataat:!1,relative; content:"www.sfoodfeedf.org"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216244/; classtype:trojan-activity;sid:81079344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/requests/cookie/20190703155754.iso"; http_uri; depth:47; isdataat:!1,relative; content:"www.sfoodfeedf.org"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216243/; classtype:trojan-activity;sid:81079343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/order1.exe"; http_uri; depth:11; isdataat:!1,relative; content:"shopcrowdfund.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216242/; classtype:trojan-activity;sid:81079342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/p755jyrfw"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216241/; classtype:trojan-activity;sid:81079341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/5gx7majxf"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216240/; classtype:trojan-activity;sid:81079340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/6fibsfxun"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216239/; classtype:trojan-activity;sid:81079339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qxxlp4uz4"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216238/; classtype:trojan-activity;sid:81079338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/uort32gk4"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216237/; classtype:trojan-activity;sid:81079337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8jj6t9swg"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216236/; classtype:trojan-activity;sid:81079336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/0pa6mzvje"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216235/; classtype:trojan-activity;sid:81079335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/4zg5zxod5"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216234/; classtype:trojan-activity;sid:81079334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xxsfdcgsh"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216233/; classtype:trojan-activity;sid:81079333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dcsgdkekk"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216232/; classtype:trojan-activity;sid:81079332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/7mqmtin3a"; http_uri; depth:10; isdataat:!1,relative; content:"66.172.33.195"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216231/; classtype:trojan-activity;sid:81079331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/bin/_temp/jojo.exe"; http_uri; depth:26; isdataat:!1,relative; content:"makewrite.in"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216230/; classtype:trojan-activity;sid:81079330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/os/la/osi.exe"; http_uri; depth:14; isdataat:!1,relative; content:"kamnaexim.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216229/; classtype:trojan-activity;sid:81079329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/benu222.exe"; http_uri; depth:18; isdataat:!1,relative; content:"lutfulgroup.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216228/; classtype:trojan-activity;sid:81079328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/99/2578761"; http_uri; depth:11; isdataat:!1,relative; content:"5.56.133.137"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216226/; classtype:trojan-activity;sid:81079326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216225/; classtype:trojan-activity;sid:81079325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216224/; classtype:trojan-activity;sid:81079324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216223/; classtype:trojan-activity;sid:81079323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"178.128.91.253"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216221/; classtype:trojan-activity;sid:81079321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216222/; classtype:trojan-activity;sid:81079322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.i686"; http_uri; depth:12; isdataat:!1,relative; content:"146.71.76.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216220/; classtype:trojan-activity;sid:81079320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tftp"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.91.253"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216219/; classtype:trojan-activity;sid:81079319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"178.128.91.253"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216218/; classtype:trojan-activity;sid:81079318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216217/; classtype:trojan-activity;sid:81079317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.armv5l"; http_uri; depth:14; isdataat:!1,relative; content:"146.71.76.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216216/; classtype:trojan-activity;sid:81079316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"146.71.76.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216215/; classtype:trojan-activity;sid:81079315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.91.253"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216214/; classtype:trojan-activity;sid:81079314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216213/; classtype:trojan-activity;sid:81079313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pe7.jpg"; http_uri; depth:8; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216212/; classtype:trojan-activity;sid:81079312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pe10.jpg"; http_uri; depth:9; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216211/; classtype:trojan-activity;sid:81079311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/video-neymar-y-narjila.zip"; http_uri; depth:27; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216210/; classtype:trojan-activity;sid:81079310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documentosmay0201917.zip"; http_uri; depth:25; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216208/; classtype:trojan-activity;sid:81079308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documentosmay0201910.zip"; http_uri; depth:25; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216207/; classtype:trojan-activity;sid:81079307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/debitos-junho2019.zip"; http_uri; depth:22; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216206/; classtype:trojan-activity;sid:81079306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/azz40.jpg"; http_uri; depth:10; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216205/; classtype:trojan-activity;sid:81079305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/az235.jpg"; http_uri; depth:10; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216204/; classtype:trojan-activity;sid:81079304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216203/; classtype:trojan-activity;sid:81079303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.mips"; http_uri; depth:12; isdataat:!1,relative; content:"146.71.76.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216202/; classtype:trojan-activity;sid:81079302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.sparc"; http_uri; depth:13; isdataat:!1,relative; content:"146.71.76.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216201/; classtype:trojan-activity;sid:81079301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.armv6l"; http_uri; depth:14; isdataat:!1,relative; content:"146.71.76.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216200/; classtype:trojan-activity;sid:81079300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.91.253"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216199/; classtype:trojan-activity;sid:81079299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"178.128.91.253"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216198/; classtype:trojan-activity;sid:81079298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.91.253"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216197/; classtype:trojan-activity;sid:81079297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"178.128.91.253"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216196/; classtype:trojan-activity;sid:81079296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.arm7"; http_uri; depth:12; isdataat:!1,relative; content:"146.71.76.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216195/; classtype:trojan-activity;sid:81079295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216194/; classtype:trojan-activity;sid:81079294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/corona.i586"; http_uri; depth:12; isdataat:!1,relative; content:"146.71.76.136"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216193/; classtype:trojan-activity;sid:81079293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"185.244.25.75"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216192/; classtype:trojan-activity;sid:81079292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/az240.jpg"; http_uri; depth:10; isdataat:!1,relative; content:"xorbr.s3.amazonaws.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216191/; classtype:trojan-activity;sid:81079291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/bin/_temp/apos.exe"; http_uri; depth:26; isdataat:!1,relative; content:"makewrite.in"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216190/; classtype:trojan-activity;sid:81079290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/purchase%20contract.ace"; http_uri; depth:24; isdataat:!1,relative; content:"kpeheraj.me"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216189/; classtype:trojan-activity;sid:81079289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/quotation.ace"; http_uri; depth:14; isdataat:!1,relative; content:"pargan.me"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216188/; classtype:trojan-activity;sid:81079288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/bin/_temp/emma.exe"; http_uri; depth:26; isdataat:!1,relative; content:"makewrite.in"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216187/; classtype:trojan-activity;sid:81079287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vandyke.zip"; http_uri; depth:12; isdataat:!1,relative; content:"habi7tit.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216186/; classtype:trojan-activity;sid:81079286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vandyke.exe"; http_uri; depth:12; isdataat:!1,relative; content:"habi7tit.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216185/; classtype:trojan-activity;sid:81079285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yuaninv.zip"; http_uri; depth:12; isdataat:!1,relative; content:"habi7tit.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216184/; classtype:trojan-activity;sid:81079284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bin_outputbdbe72f.exe"; http_uri; depth:22; isdataat:!1,relative; content:"babusrtop.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216183/; classtype:trojan-activity;sid:81079283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/kav/0bvtikr.png"; http_uri; depth:27; isdataat:!1,relative; content:"nanodivulga.ufn.edu.br"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216182/; classtype:trojan-activity;sid:81079282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/output.fdg"; http_uri; depth:11; isdataat:!1,relative; content:"canadabestonline.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216181/; classtype:trojan-activity;sid:81079281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/frd1.exe"; http_uri; depth:9; isdataat:!1,relative; content:"zerodaywwsxwissdfdsfssecccseersscsdfsdfs.duckdns.org"; http_host; depth:52; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216178/; classtype:trojan-activity;sid:81079278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/frd2.exe"; http_uri; depth:9; isdataat:!1,relative; content:"zerodaywwsxwissdfdsfssecccseersscsdfsdfs.duckdns.org"; http_host; depth:52; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216179/; classtype:trojan-activity;sid:81079279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/frd3.exe"; http_uri; depth:9; isdataat:!1,relative; content:"zerodaywwsxwissdfdsfssecccseersscsdfsdfs.duckdns.org"; http_host; depth:52; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216180/; classtype:trojan-activity;sid:81079280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/saint.exe"; http_uri; depth:10; isdataat:!1,relative; content:"zerodaywwsxwissdfdsfssecccseersscsdfsdfs.duckdns.org"; http_host; depth:52; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216177/; classtype:trojan-activity;sid:81079277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ctqcza.jpg"; http_uri; depth:11; isdataat:!1,relative; content:"files-1.coka.la"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216176/; classtype:trojan-activity;sid:81079276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/user/trans/eft/paymentdetails0348.ps1"; http_uri; depth:44; isdataat:!1,relative; content:"domyclassessays.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216175/; classtype:trojan-activity;sid:81079275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/user/trans/eft/remittancedetails.ps1"; http_uri; depth:43; isdataat:!1,relative; content:"domyclassessays.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216174/; classtype:trojan-activity;sid:81079274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxtf"; http_uri; depth:8; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216173/; classtype:trojan-activity;sid:81079273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipslinuxtf"; http_uri; depth:12; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216172/; classtype:trojan-activity;sid:81079272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/svcyr.exe"; http_uri; depth:10; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216171/; classtype:trojan-activity;sid:81079271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linux-a1"; http_uri; depth:9; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216170/; classtype:trojan-activity;sid:81079270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linux2.6"; http_uri; depth:9; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216169/; classtype:trojan-activity;sid:81079269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/im1433.exe"; http_uri; depth:11; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216168/; classtype:trojan-activity;sid:81079268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/im.exe"; http_uri; depth:7; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216167/; classtype:trojan-activity;sid:81079267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ccavcav"; http_uri; depth:8; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216166/; classtype:trojan-activity;sid:81079266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/arm4linuxtf"; http_uri; depth:12; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216165/; classtype:trojan-activity;sid:81079265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/92001.rar"; http_uri; depth:10; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216164/; classtype:trojan-activity;sid:81079264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9200.rar"; http_uri; depth:9; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216163/; classtype:trojan-activity;sid:81079263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/60001arm6"; http_uri; depth:10; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216162/; classtype:trojan-activity;sid:81079262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/60001.rar"; http_uri; depth:10; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216161/; classtype:trojan-activity;sid:81079261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3306.exe"; http_uri; depth:9; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216160/; classtype:trojan-activity;sid:81079260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3306"; http_uri; depth:5; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216159/; classtype:trojan-activity;sid:81079259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216158/; classtype:trojan-activity;sid:81079258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/%e5%85%a5%e8%81%8c%e5%bc%95%e8%8d%90.zip"; http_uri; depth:41; isdataat:!1,relative; content:"habi7tit.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216157/; classtype:trojan-activity;sid:81079257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yuaninv.exe"; http_uri; depth:12; isdataat:!1,relative; content:"habi7tit.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216156/; classtype:trojan-activity;sid:81079256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/newvirus.exe"; http_uri; depth:13; isdataat:!1,relative; content:"pegionshamza.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216155/; classtype:trojan-activity;sid:81079255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/%e5%85%a5%e8%81%8c%e5%bc%95%e8%8d%90.exe"; http_uri; depth:41; isdataat:!1,relative; content:"habi7tit.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216153/; classtype:trojan-activity;sid:81079253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ntpd"; http_uri; depth:5; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216152/; classtype:trojan-activity;sid:81079252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216151/; classtype:trojan-activity;sid:81079251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216149/; classtype:trojan-activity;sid:81079249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tftp"; http_uri; depth:5; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216150/; classtype:trojan-activity;sid:81079250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216148/; classtype:trojan-activity;sid:81079248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216146/; classtype:trojan-activity;sid:81079246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216147/; classtype:trojan-activity;sid:81079247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216145/; classtype:trojan-activity;sid:81079245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216144/; classtype:trojan-activity;sid:81079244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ftp"; http_uri; depth:4; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216142/; classtype:trojan-activity;sid:81079242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"87.120.254.160"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216141/; classtype:trojan-activity;sid:81079241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"120.55.76.1"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216140/; classtype:trojan-activity;sid:81079240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.i586"; http_uri; depth:12; isdataat:!1,relative; content:"120.55.76.1"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216139/; classtype:trojan-activity;sid:81079239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/12.exe"; http_uri; depth:7; isdataat:!1,relative; content:"ca.monerov10.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216138/; classtype:trojan-activity;sid:81079238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/twentyfifteen/css/1c.jpg"; http_uri; depth:43; isdataat:!1,relative; content:"wegl.net"; http_host; depth:8; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216137/; classtype:trojan-activity;sid:81079237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/downloads/updates/autorun.exe"; http_uri; depth:30; isdataat:!1,relative; content:"lotos136.ru"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216135/; classtype:trojan-activity;sid:81079235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/1c.jpg"; http_uri; depth:36; isdataat:!1,relative; content:"www.autourdedjango.fr"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216134/; classtype:trojan-activity;sid:81079234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1"; http_uri; depth:2; isdataat:!1,relative; content:"103.246.218.189"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216133/; classtype:trojan-activity;sid:81079233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wk.exe"; http_uri; depth:7; isdataat:!1,relative; content:"103.246.218.189"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216131/; classtype:trojan-activity;sid:81079231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9200mips"; http_uri; depth:9; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216130/; classtype:trojan-activity;sid:81079230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1"; http_uri; depth:2; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216129/; classtype:trojan-activity;sid:81079229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9200arm6"; http_uri; depth:9; isdataat:!1,relative; content:"103.76.87.94"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216128/; classtype:trojan-activity;sid:81079228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/1.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216126/; classtype:trojan-activity;sid:81079226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216125/; classtype:trojan-activity;sid:81079225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/8.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216124/; classtype:trojan-activity;sid:81079224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/7.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216123/; classtype:trojan-activity;sid:81079223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/6.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216122/; classtype:trojan-activity;sid:81079222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/5.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216121/; classtype:trojan-activity;sid:81079221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/4.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216120/; classtype:trojan-activity;sid:81079220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216119/; classtype:trojan-activity;sid:81079219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/0.exe"; http_uri; depth:6; isdataat:!1,relative; content:"103.246.218.247"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_10; reference:url, urlhaus.abuse.ch/url/216117/; classtype:trojan-activity;sid:81079217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/update.doc"; http_uri; depth:50; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216115/; classtype:trojan-activity;sid:81079215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/myshit.exe"; http_uri; depth:11; isdataat:!1,relative; content:"febsms.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216114/; classtype:trojan-activity;sid:81079214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/winexplorer.exe"; http_uri; depth:16; isdataat:!1,relative; content:"febsms.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216113/; classtype:trojan-activity;sid:81079213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/client.exe"; http_uri; depth:50; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216112/; classtype:trojan-activity;sid:81079212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/administrator/backups/1c.jpg"; http_uri; depth:29; isdataat:!1,relative; content:"efectiva.pl"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216111/; classtype:trojan-activity;sid:81079211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/2015/apps.exe"; http_uri; depth:33; isdataat:!1,relative; content:"faith-artist.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216109/; classtype:trojan-activity;sid:81079209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/app/updates.doc"; http_uri; depth:51; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216108/; classtype:trojan-activity;sid:81079208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/logs/newsletter/1c.jpg"; http_uri; depth:34; isdataat:!1,relative; content:"ariseint.org"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216106/; classtype:trojan-activity;sid:81079206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/languages/plugins/1c.jpg"; http_uri; depth:36; isdataat:!1,relative; content:"autourdedjango.fr"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216104/; classtype:trojan-activity;sid:81079204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-includes/id3/1c.jpg"; http_uri; depth:23; isdataat:!1,relative; content:"cipdi.org"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216103/; classtype:trojan-activity;sid:81079203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.sh4"; http_uri; depth:21; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216102/; classtype:trojan-activity;sid:81079202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm6"; http_uri; depth:22; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216101/; classtype:trojan-activity;sid:81079201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.ppc"; http_uri; depth:21; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216100/; classtype:trojan-activity;sid:81079200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216099/; classtype:trojan-activity;sid:81079199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm"; http_uri; depth:21; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216097/; classtype:trojan-activity;sid:81079197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.mips"; http_uri; depth:22; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216098/; classtype:trojan-activity;sid:81079198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.mips"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216096/; classtype:trojan-activity;sid:81079196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216095/; classtype:trojan-activity;sid:81079195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.m68k"; http_uri; depth:22; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216094/; classtype:trojan-activity;sid:81079194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm7"; http_uri; depth:22; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216093/; classtype:trojan-activity;sid:81079193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216092/; classtype:trojan-activity;sid:81079192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216090/; classtype:trojan-activity;sid:81079190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.arm5"; http_uri; depth:22; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216091/; classtype:trojan-activity;sid:81079191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216089/; classtype:trojan-activity;sid:81079189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.arm"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216088/; classtype:trojan-activity;sid:81079188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216086/; classtype:trojan-activity;sid:81079186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ubercoupon.exe"; http_uri; depth:15; isdataat:!1,relative; content:"ubercoupon.site"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216085/; classtype:trojan-activity;sid:81079185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/six.exe"; http_uri; depth:8; isdataat:!1,relative; content:"goldmine098.5gbfree.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216084/; classtype:trojan-activity;sid:81079184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.x86"; http_uri; depth:9; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216083/; classtype:trojan-activity;sid:81079183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.sh4"; http_uri; depth:9; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216082/; classtype:trojan-activity;sid:81079182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.m68"; http_uri; depth:9; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216081/; classtype:trojan-activity;sid:81079181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.spc"; http_uri; depth:9; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216080/; classtype:trojan-activity;sid:81079180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/dir/hzewik.msi"; http_uri; depth:50; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216078/; classtype:trojan-activity;sid:81079178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/dir/updates.doc"; http_uri; depth:51; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216079/; classtype:trojan-activity;sid:81079179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/modules/jmsslider/views/img/layers/dir/msword.doc"; http_uri; depth:50; isdataat:!1,relative; content:"thecoverstudio.com"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216077/; classtype:trojan-activity;sid:81079177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.mips64"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216076/; classtype:trojan-activity;sid:81079176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.arm4tl"; http_uri; depth:12; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216075/; classtype:trojan-activity;sid:81079175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.mpsl"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216074/; classtype:trojan-activity;sid:81079174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.armv6"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216073/; classtype:trojan-activity;sid:81079173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.armv5"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216072/; classtype:trojan-activity;sid:81079172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.arm4l"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216071/; classtype:trojan-activity;sid:81079171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.mips"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216070/; classtype:trojan-activity;sid:81079170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.i686"; http_uri; depth:10; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216069/; classtype:trojan-activity;sid:81079169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.ppc"; http_uri; depth:9; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216068/; classtype:trojan-activity;sid:81079168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qkhq.armv7"; http_uri; depth:11; isdataat:!1,relative; content:"134.209.47.38"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216067/; classtype:trojan-activity;sid:81079167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fb.exe"; http_uri; depth:7; isdataat:!1,relative; content:"vydra.icu"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216066/; classtype:trojan-activity;sid:81079166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/99/2657720"; http_uri; depth:11; isdataat:!1,relative; content:"5.56.133.137"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216064/; classtype:trojan-activity;sid:81079164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nsis.exe"; http_uri; depth:9; isdataat:!1,relative; content:"vinomag.pw"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216063/; classtype:trojan-activity;sid:81079163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"176.97.220.24"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216062/; classtype:trojan-activity;sid:81079162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"167.99.237.47"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216061/; classtype:trojan-activity;sid:81079161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lmaowtf/loligang.x86"; http_uri; depth:21; isdataat:!1,relative; content:"185.170.210.67"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216060/; classtype:trojan-activity;sid:81079160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.x86"; http_uri; depth:16; isdataat:!1,relative; content:"142.93.184.156"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216058/; classtype:trojan-activity;sid:81079158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/downloads/load/eu3/borlightmedia.exe"; http_uri; depth:37; isdataat:!1,relative; content:"megainfo.info"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216056/; classtype:trojan-activity;sid:81079156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/_verify.exe"; http_uri; depth:12; isdataat:!1,relative; content:"spinagruop.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216055/; classtype:trojan-activity;sid:81079155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qqwee.exe"; http_uri; depth:10; isdataat:!1,relative; content:"spinagruop.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216054/; classtype:trojan-activity;sid:81079154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/data/facture_946.doc"; http_uri; depth:21; isdataat:!1,relative; content:"91.121.138.65"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216053/; classtype:trojan-activity;sid:81079153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/data/facture_947.doc"; http_uri; depth:21; isdataat:!1,relative; content:"91.121.138.65"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216052/; classtype:trojan-activity;sid:81079152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/data/facture_526.doc"; http_uri; depth:21; isdataat:!1,relative; content:"91.121.138.65"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216051/; classtype:trojan-activity;sid:81079151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ca.exe"; http_uri; depth:7; isdataat:!1,relative; content:"ca.fakesemoca16.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216050/; classtype:trojan-activity;sid:81079150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.x86"; http_uri; depth:14; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216048/; classtype:trojan-activity;sid:81079148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.x86_64"; http_uri; depth:17; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216049/; classtype:trojan-activity;sid:81079149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216045/; classtype:trojan-activity;sid:81079145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216046/; classtype:trojan-activity;sid:81079146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.spc"; http_uri; depth:14; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216047/; classtype:trojan-activity;sid:81079147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.mips"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216043/; classtype:trojan-activity;sid:81079143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.mpsl"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216044/; classtype:trojan-activity;sid:81079144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.i486"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216040/; classtype:trojan-activity;sid:81079140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.i686"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216041/; classtype:trojan-activity;sid:81079141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216042/; classtype:trojan-activity;sid:81079142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216038/; classtype:trojan-activity;sid:81079138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216039/; classtype:trojan-activity;sid:81079139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.arc"; http_uri; depth:14; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216035/; classtype:trojan-activity;sid:81079135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.arm"; http_uri; depth:14; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216036/; classtype:trojan-activity;sid:81079136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/tron.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"134.209.230.124"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216037/; classtype:trojan-activity;sid:81079137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/private.xls"; http_uri; depth:12; isdataat:!1,relative; content:"klomps.net"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216034/; classtype:trojan-activity;sid:81079134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bui/cu/total.exe"; http_uri; depth:17; isdataat:!1,relative; content:"kamnaexim.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216033/; classtype:trojan-activity;sid:81079133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"75.3.198.176"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216031/; classtype:trojan-activity;sid:81079131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/icons/friendrem.exe"; http_uri; depth:20; isdataat:!1,relative; content:"azahgroup.eu"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216030/; classtype:trojan-activity;sid:81079130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/3000.exe"; http_uri; depth:9; isdataat:!1,relative; content:"204.155.30.87"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216029/; classtype:trojan-activity;sid:81079129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9sh4"; http_uri; depth:7; isdataat:!1,relative; content:"167.71.190.55"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216028/; classtype:trojan-activity;sid:81079128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9ppc"; http_uri; depth:7; isdataat:!1,relative; content:"167.71.190.55"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216027/; classtype:trojan-activity;sid:81079127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9mpsl"; http_uri; depth:8; isdataat:!1,relative; content:"167.71.190.55"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216026/; classtype:trojan-activity;sid:81079126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9i586"; http_uri; depth:8; isdataat:!1,relative; content:"167.71.190.55"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216025/; classtype:trojan-activity;sid:81079125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9mips"; http_uri; depth:8; isdataat:!1,relative; content:"167.71.190.55"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216024/; classtype:trojan-activity;sid:81079124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9adc"; http_uri; depth:7; isdataat:!1,relative; content:"167.71.190.55"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216023/; classtype:trojan-activity;sid:81079123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/js/diallo123.exe"; http_uri; depth:24; isdataat:!1,relative; content:"obichereu.website"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216022/; classtype:trojan-activity;sid:81079122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/js/inquiryan79211678879997606686.exe"; http_uri; depth:44; isdataat:!1,relative; content:"obichereu.website"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216021/; classtype:trojan-activity;sid:81079121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/js/kjjhyyu.exe"; http_uri; depth:22; isdataat:!1,relative; content:"obichereu.website"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216020/; classtype:trojan-activity;sid:81079120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/js/sealedinfo.exe"; http_uri; depth:25; isdataat:!1,relative; content:"obichereu.website"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216019/; classtype:trojan-activity;sid:81079119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/js/petit1234.exe"; http_uri; depth:24; isdataat:!1,relative; content:"obichereu.website"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216018/; classtype:trojan-activity;sid:81079118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/images/js/proforma2.exe"; http_uri; depth:24; isdataat:!1,relative; content:"obichereu.website"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216017/; classtype:trojan-activity;sid:81079117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.173.127"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216016/; classtype:trojan-activity;sid:81079116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.mips"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.173.127"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216015/; classtype:trojan-activity;sid:81079115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.173.127"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216014/; classtype:trojan-activity;sid:81079114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.173.127"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216013/; classtype:trojan-activity;sid:81079113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.arm6"; http_uri; depth:19; isdataat:!1,relative; content:"167.99.10.90"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216012/; classtype:trojan-activity;sid:81079112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.arm"; http_uri; depth:18; isdataat:!1,relative; content:"167.99.10.90"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216011/; classtype:trojan-activity;sid:81079111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"142.93.173.127"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216010/; classtype:trojan-activity;sid:81079110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.173.127"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216009/; classtype:trojan-activity;sid:81079109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.173.127"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216008/; classtype:trojan-activity;sid:81079108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/win32.exe"; http_uri; depth:10; isdataat:!1,relative; content:"34.214.24.187"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216007/; classtype:trojan-activity;sid:81079107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dsg/eff/dec.exe"; http_uri; depth:16; isdataat:!1,relative; content:"tfvn.com.vn"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216006/; classtype:trojan-activity;sid:81079106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/wolf.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"104.244.76.236"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216005/; classtype:trojan-activity;sid:81079105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/wolf.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"104.244.76.236"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216004/; classtype:trojan-activity;sid:81079104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.x86"; http_uri; depth:14; isdataat:!1,relative; content:"142.93.173.127"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216002/; classtype:trojan-activity;sid:81079102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/njgskdjkd.exe"; http_uri; depth:14; isdataat:!1,relative; content:"kiulingh.top"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216001/; classtype:trojan-activity;sid:81079101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof4.ks"; http_uri; depth:24; isdataat:!1,relative; content:"185.193.141.99"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215997/; classtype:trojan-activity;sid:81079097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof5.ks"; http_uri; depth:24; isdataat:!1,relative; content:"185.193.141.99"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215998/; classtype:trojan-activity;sid:81079098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof6.ks"; http_uri; depth:24; isdataat:!1,relative; content:"185.193.141.99"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215999/; classtype:trojan-activity;sid:81079099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof7.ks"; http_uri; depth:24; isdataat:!1,relative; content:"185.193.141.99"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/216000/; classtype:trojan-activity;sid:81079100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof1.ks"; http_uri; depth:24; isdataat:!1,relative; content:"185.193.141.99"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215994/; classtype:trojan-activity;sid:81079094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof2.ks"; http_uri; depth:24; isdataat:!1,relative; content:"185.193.141.99"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215995/; classtype:trojan-activity;sid:81079095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof3.ks"; http_uri; depth:24; isdataat:!1,relative; content:"185.193.141.99"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215996/; classtype:trojan-activity;sid:81079096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a/a.exe"; http_uri; depth:8; isdataat:!1,relative; content:"akqmedicine.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215993/; classtype:trojan-activity;sid:81079093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/_outputify.exe"; http_uri; depth:15; isdataat:!1,relative; content:"spinagruop.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215992/; classtype:trojan-activity;sid:81079092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ri/la/rick.exe"; http_uri; depth:15; isdataat:!1,relative; content:"kamnaexim.com"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215991/; classtype:trojan-activity;sid:81079091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/benu44.exe"; http_uri; depth:17; isdataat:!1,relative; content:"lutfulgroup.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215990/; classtype:trojan-activity;sid:81079090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ajp/public/c516cd9f3d02c0a9657652b835170278.php"; http_uri; depth:48; isdataat:!1,relative; content:"web.riderit.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215989/; classtype:trojan-activity;sid:81079089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.m68k"; http_uri; depth:17; isdataat:!1,relative; content:"46.101.193.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215988/; classtype:trojan-activity;sid:81079088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/wolf.arm"; http_uri; depth:14; isdataat:!1,relative; content:"104.244.76.236"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215987/; classtype:trojan-activity;sid:81079087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/wolf.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"104.244.76.236"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215986/; classtype:trojan-activity;sid:81079086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"167.99.15.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215985/; classtype:trojan-activity;sid:81079085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ez.exe"; http_uri; depth:7; isdataat:!1,relative; content:"ez.fakesemoca16.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215984/; classtype:trojan-activity;sid:81079084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/trendystuff/addons/flickr/1c.jpg"; http_uri; depth:51; isdataat:!1,relative; content:"irnberger.co.at"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215983/; classtype:trojan-activity;sid:81079083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mps/tila.exe"; http_uri; depth:13; isdataat:!1,relative; content:"ammucreations.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215981/; classtype:trojan-activity;sid:81079081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/elementor/jiz.exe"; http_uri; depth:37; isdataat:!1,relative; content:"lmvadvogados.com.br"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215980/; classtype:trojan-activity;sid:81079080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/uploads/elementor/tur.exe"; http_uri; depth:37; isdataat:!1,relative; content:"lmvadvogados.com.br"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215979/; classtype:trojan-activity;sid:81079079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gmp/xce/revised.exe"; http_uri; depth:20; isdataat:!1,relative; content:"renu-bansal.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215977/; classtype:trojan-activity;sid:81079077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm7"; http_uri; depth:19; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215976/; classtype:trojan-activity;sid:81079076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.m68k"; http_uri; depth:19; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215975/; classtype:trojan-activity;sid:81079075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.ppc"; http_uri; depth:18; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215974/; classtype:trojan-activity;sid:81079074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.mips"; http_uri; depth:19; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215973/; classtype:trojan-activity;sid:81079073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"46.101.193.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215972/; classtype:trojan-activity;sid:81079072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.ppc"; http_uri; depth:16; isdataat:!1,relative; content:"46.101.193.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215971/; classtype:trojan-activity;sid:81079071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.sh4"; http_uri; depth:18; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215970/; classtype:trojan-activity;sid:81079070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.sh4"; http_uri; depth:16; isdataat:!1,relative; content:"46.101.193.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215969/; classtype:trojan-activity;sid:81079069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.x86"; http_uri; depth:18; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215968/; classtype:trojan-activity;sid:81079068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.mips"; http_uri; depth:17; isdataat:!1,relative; content:"46.101.193.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215967/; classtype:trojan-activity;sid:81079067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/yakuza.arm7"; http_uri; depth:17; isdataat:!1,relative; content:"167.99.15.77"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215966/; classtype:trojan-activity;sid:81079066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm5"; http_uri; depth:19; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215965/; classtype:trojan-activity;sid:81079065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/benu44.exe"; http_uri; depth:17; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215964/; classtype:trojan-activity;sid:81079064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/50k44.exe"; http_uri; depth:16; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215962/; classtype:trojan-activity;sid:81079062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm"; http_uri; depth:16; isdataat:!1,relative; content:"46.101.193.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215959/; classtype:trojan-activity;sid:81079059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm5"; http_uri; depth:17; isdataat:!1,relative; content:"46.101.193.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215960/; classtype:trojan-activity;sid:81079060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ab4g5/josho.arm6"; http_uri; depth:17; isdataat:!1,relative; content:"46.101.193.175"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215961/; classtype:trojan-activity;sid:81079061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/zbzi/pid0318/19070511/t6kiffs1/wqqs23y7f.exe"; http_uri; depth:45; isdataat:!1,relative; content:"cdn.fanyamedia.net"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215958/; classtype:trojan-activity;sid:81079058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/eng/include/client.rar"; http_uri; depth:23; isdataat:!1,relative; content:"www.velasmeralda.it"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215957/; classtype:trojan-activity;sid:81079057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof11.ks"; http_uri; depth:25; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215956/; classtype:trojan-activity;sid:81079056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof10.ks"; http_uri; depth:25; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215955/; classtype:trojan-activity;sid:81079055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof4.ks"; http_uri; depth:24; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215950/; classtype:trojan-activity;sid:81079050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof5.ks"; http_uri; depth:24; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215951/; classtype:trojan-activity;sid:81079051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof6.ks"; http_uri; depth:24; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215952/; classtype:trojan-activity;sid:81079052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof8.ks"; http_uri; depth:24; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215953/; classtype:trojan-activity;sid:81079053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof9.ks"; http_uri; depth:24; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215954/; classtype:trojan-activity;sid:81079054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof1.ks"; http_uri; depth:24; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215947/; classtype:trojan-activity;sid:81079047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof2.ks"; http_uri; depth:24; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215948/; classtype:trojan-activity;sid:81079048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/iwq/wpsk.phpl=lepof3.ks"; http_uri; depth:24; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215949/; classtype:trojan-activity;sid:81079049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/_outpute1275ef%20hawk.exe"; http_uri; depth:32; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215946/; classtype:trojan-activity;sid:81079046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/winoniu.exe"; http_uri; depth:12; isdataat:!1,relative; content:"111.231.142.229"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215945/; classtype:trojan-activity;sid:81079045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/winmosys.exe"; http_uri; depth:13; isdataat:!1,relative; content:"111.231.142.229"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215944/; classtype:trojan-activity;sid:81079044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mosys.exe"; http_uri; depth:10; isdataat:!1,relative; content:"111.231.142.229"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215943/; classtype:trojan-activity;sid:81079043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linuxtf"; http_uri; depth:8; isdataat:!1,relative; content:"111.231.142.229"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215942/; classtype:trojan-activity;sid:81079042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/core.exe"; http_uri; depth:9; isdataat:!1,relative; content:"111.231.142.229"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215941/; classtype:trojan-activity;sid:81079041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windows.exe"; http_uri; depth:12; isdataat:!1,relative; content:"111.30.107.131"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215940/; classtype:trojan-activity;sid:81079040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/t9"; http_uri; depth:3; isdataat:!1,relative; content:"111.30.107.131"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215939/; classtype:trojan-activity;sid:81079039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh.1"; http_uri; depth:5; isdataat:!1,relative; content:"111.30.107.131"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215938/; classtype:trojan-activity;sid:81079038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cls/1850.exe"; http_uri; depth:13; isdataat:!1,relative; content:"ammucreations.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215937/; classtype:trojan-activity;sid:81079037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/linux"; http_uri; depth:6; isdataat:!1,relative; content:"154.221.23.39"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215936/; classtype:trojan-activity;sid:81079036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vnc32.rar"; http_uri; depth:10; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215934/; classtype:trojan-activity;sid:81079034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vnc64.rar"; http_uri; depth:10; isdataat:!1,relative; content:"xpiperae94xw.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215935/; classtype:trojan-activity;sid:81079035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pu/la/access.exe"; http_uri; depth:17; isdataat:!1,relative; content:"metalcoven.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215925/; classtype:trojan-activity;sid:81079025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gallery.php"; http_uri; depth:12; isdataat:!1,relative; content:"outlowupdt.info"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215924/; classtype:trojan-activity;sid:81079024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/raw/yjnnftb9"; http_uri; depth:13; isdataat:!1,relative; content:"pastebin.com"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215923/; classtype:trojan-activity;sid:81079023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/si.php"; http_uri; depth:7; isdataat:!1,relative; content:"185.139.69.177"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215922/; classtype:trojan-activity;sid:81079022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm"; http_uri; depth:18; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215921/; classtype:trojan-activity;sid:81079021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm6"; http_uri; depth:19; isdataat:!1,relative; content:"37.59.242.121"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215920/; classtype:trojan-activity;sid:81079020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/_output463c890.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cnn.datapath-uk.cf"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215919/; classtype:trojan-activity;sid:81079019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.x86"; http_uri; depth:10; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215918/; classtype:trojan-activity;sid:81079018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm6"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215916/; classtype:trojan-activity;sid:81079016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.sparc"; http_uri; depth:12; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215917/; classtype:trojan-activity;sid:81079017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i586"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215915/; classtype:trojan-activity;sid:81079015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.i686"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215914/; classtype:trojan-activity;sid:81079014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm5"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215912/; classtype:trojan-activity;sid:81079012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.m68k"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215911/; classtype:trojan-activity;sid:81079011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.ppc"; http_uri; depth:10; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215913/; classtype:trojan-activity;sid:81079013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm4"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215909/; classtype:trojan-activity;sid:81079009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.arm7"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215910/; classtype:trojan-activity;sid:81079010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mips"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215907/; classtype:trojan-activity;sid:81079007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/demon.mpsl"; http_uri; depth:11; isdataat:!1,relative; content:"89.190.159.189"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215908/; classtype:trojan-activity;sid:81079008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lt.exe"; http_uri; depth:7; isdataat:!1,relative; content:"light.fakesemoca16.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215906/; classtype:trojan-activity;sid:81079006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/documents/file/o.msi"; http_uri; depth:21; isdataat:!1,relative; content:"creativecompetitionawards.gq"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215905/; classtype:trojan-activity;sid:81079005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sgi/doc/pdf_files/dwindows.msi"; http_uri; depth:31; isdataat:!1,relative; content:"creativecompetitionawards.gq"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215903/; classtype:trojan-activity;sid:81079003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sgi/doc/pdf_files/windows.doc"; http_uri; depth:30; isdataat:!1,relative; content:"creativecompetitionawards.gq"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215904/; classtype:trojan-activity;sid:81079004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sgi/doc/pdf_files/ds.exe"; http_uri; depth:25; isdataat:!1,relative; content:"creativecompetitionawards.gq"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215902/; classtype:trojan-activity;sid:81079002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sgi/doc/pdf_files/windows.msi"; http_uri; depth:30; isdataat:!1,relative; content:"creativecompetitionawards.gq"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215901/; classtype:trojan-activity;sid:81079001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sgi/doc/pdf_files/windows.exe"; http_uri; depth:30; isdataat:!1,relative; content:"creativecompetitionawards.gq"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215900/; classtype:trojan-activity;sid:81079000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sgi/doc/pdf_files/system.exe"; http_uri; depth:29; isdataat:!1,relative; content:"creativecompetitionawards.gq"; http_host; depth:28; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215899/; classtype:trojan-activity;sid:81078999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/st(1).exe"; http_uri; depth:50; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215898/; classtype:trojan-activity;sid:81078998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/new.exe"; http_uri; depth:48; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215896/; classtype:trojan-activity;sid:81078996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/new.msi"; http_uri; depth:48; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215897/; classtype:trojan-activity;sid:81078997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/fab.msi"; http_uri; depth:48; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215895/; classtype:trojan-activity;sid:81078995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/fab.exe"; http_uri; depth:48; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215893/; classtype:trojan-activity;sid:81078993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/ff.exe"; http_uri; depth:47; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215894/; classtype:trojan-activity;sid:81078994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/aaa.msi"; http_uri; depth:48; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215892/; classtype:trojan-activity;sid:81078992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/aa.exe"; http_uri; depth:47; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215891/; classtype:trojan-activity;sid:81078991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/aaa.exe"; http_uri; depth:48; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215890/; classtype:trojan-activity;sid:81078990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/fab/aaa%20(1).exe"; http_uri; depth:54; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215889/; classtype:trojan-activity;sid:81078989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/settings.doc"; http_uri; depth:53; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215887/; classtype:trojan-activity;sid:81078987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/word.doc"; http_uri; depth:49; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215888/; classtype:trojan-activity;sid:81078988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/msword.doc"; http_uri; depth:51; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215885/; classtype:trojan-activity;sid:81078985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/office.doc"; http_uri; depth:51; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215886/; classtype:trojan-activity;sid:81078986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/xlobwq.msi"; http_uri; depth:51; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215884/; classtype:trojan-activity;sid:81078984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/svchost.exe"; http_uri; depth:52; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215882/; classtype:trojan-activity;sid:81078982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/wuygbu.msi"; http_uri; depth:51; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215883/; classtype:trojan-activity;sid:81078983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/svchost.msi"; http_uri; depth:52; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215881/; classtype:trojan-activity;sid:81078981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/sab.exe"; http_uri; depth:48; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215880/; classtype:trojan-activity;sid:81078980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/ibcgur.msi"; http_uri; depth:51; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215879/; classtype:trojan-activity;sid:81078979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/htmwju.exe"; http_uri; depth:51; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215878/; classtype:trojan-activity;sid:81078978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/office.doc"; http_uri; depth:55; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215876/; classtype:trojan-activity;sid:81078976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/word.doc"; http_uri; depth:53; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215877/; classtype:trojan-activity;sid:81078977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/taskeng.msi"; http_uri; depth:56; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215875/; classtype:trojan-activity;sid:81078975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/ih97efbagjg4ppp.msi"; http_uri; depth:64; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215874/; classtype:trojan-activity;sid:81078974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/bkmrxa.msi"; http_uri; depth:55; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215873/; classtype:trojan-activity;sid:81078973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/app/settings.doc"; http_uri; depth:61; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215871/; classtype:trojan-activity;sid:81078971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/app/word.doc"; http_uri; depth:57; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215872/; classtype:trojan-activity;sid:81078972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/app/css.doc"; http_uri; depth:56; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215870/; classtype:trojan-activity;sid:81078970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/app/microsoft.doc"; http_uri; depth:62; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215869/; classtype:trojan-activity;sid:81078969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/app/nye.msi"; http_uri; depth:56; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215868/; classtype:trojan-activity;sid:81078968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/app/nybe.msi"; http_uri; depth:57; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215867/; classtype:trojan-activity;sid:81078967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/app/_output449cc60.msi"; http_uri; depth:67; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215866/; classtype:trojan-activity;sid:81078966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vendor/phpunit/phpunit/src/util/php/css/dir/app/windows.msi"; http_uri; depth:60; isdataat:!1,relative; content:"koirado.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215865/; classtype:trojan-activity;sid:81078965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp/yo/agip.exe"; http_uri; depth:15; isdataat:!1,relative; content:"metalcoven.com"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215864/; classtype:trojan-activity;sid:81078964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ilqeobxic"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215863/; classtype:trojan-activity;sid:81078963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.ppc"; http_uri; depth:11; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215862/; classtype:trojan-activity;sid:81078962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9o22ij3ip"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215861/; classtype:trojan-activity;sid:81078961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mips"; http_uri; depth:12; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215860/; classtype:trojan-activity;sid:81078960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x32"; http_uri; depth:11; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215859/; classtype:trojan-activity;sid:81078959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fwdfvf"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215858/; classtype:trojan-activity;sid:81078958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/razdzn"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215857/; classtype:trojan-activity;sid:81078957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/9r72ecyir"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215854/; classtype:trojan-activity;sid:81078954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mjgezkhij"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215855/; classtype:trojan-activity;sid:81078955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pob28xcit"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215856/; classtype:trojan-activity;sid:81078956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/f53v3xvc8"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215853/; classtype:trojan-activity;sid:81078953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm6"; http_uri; depth:12; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215852/; classtype:trojan-activity;sid:81078952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.mpsl"; http_uri; depth:12; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215851/; classtype:trojan-activity;sid:81078951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/09ej3xie2"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215850/; classtype:trojan-activity;sid:81078950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vvglma"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215849/; classtype:trojan-activity;sid:81078949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.x86"; http_uri; depth:11; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215848/; classtype:trojan-activity;sid:81078948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qtmzbn"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215847/; classtype:trojan-activity;sid:81078947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/vtyhat"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215846/; classtype:trojan-activity;sid:81078946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/nvitpj"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215845/; classtype:trojan-activity;sid:81078945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.i586"; http_uri; depth:12; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215844/; classtype:trojan-activity;sid:81078944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/82gdlkyr6"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215843/; classtype:trojan-activity;sid:81078943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/lnkfmx"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215842/; classtype:trojan-activity;sid:81078942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/qvmxvl"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215841/; classtype:trojan-activity;sid:81078941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xanmanxan"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215840/; classtype:trojan-activity;sid:81078940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cemtop"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215839/; classtype:trojan-activity;sid:81078939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/837h5hquw"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215838/; classtype:trojan-activity;sid:81078938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.m68k"; http_uri; depth:12; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215837/; classtype:trojan-activity;sid:81078937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/exaksvz0j"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215835/; classtype:trojan-activity;sid:81078935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/jsiqjzzsq"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215836/; classtype:trojan-activity;sid:81078936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/ajoomk"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215834/; classtype:trojan-activity;sid:81078934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/atxhua"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215833/; classtype:trojan-activity;sid:81078933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xanxanman"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215832/; classtype:trojan-activity;sid:81078932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/0w7awnuo5"; http_uri; depth:10; isdataat:!1,relative; content:"104.248.95.152"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215831/; classtype:trojan-activity;sid:81078931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.arm4"; http_uri; depth:12; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215830/; classtype:trojan-activity;sid:81078930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/earyzq"; http_uri; depth:7; isdataat:!1,relative; content:"167.99.88.98"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215829/; classtype:trojan-activity;sid:81078929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/tkcrypt77.exe"; http_uri; depth:20; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215827/; classtype:trojan-activity;sid:81078927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"13.230.239.76"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215826/; classtype:trojan-activity;sid:81078926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yakuza.sh4"; http_uri; depth:11; isdataat:!1,relative; content:"120.55.76.1"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215824/; classtype:trojan-activity;sid:81078924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/a8c805f.msi"; http_uri; depth:12; isdataat:!1,relative; content:"www.stopcityloop.org"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215823/; classtype:trojan-activity;sid:81078923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dn.exe"; http_uri; depth:7; isdataat:!1,relative; content:"do.fakesemoca16.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215822/; classtype:trojan-activity;sid:81078922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/benucrypt2.exe"; http_uri; depth:21; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215821/; classtype:trojan-activity;sid:81078921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/profile.exe"; http_uri; depth:12; isdataat:!1,relative; content:"84.38.129.101"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215820/; classtype:trojan-activity;sid:81078920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/load4.exe"; http_uri; depth:10; isdataat:!1,relative; content:"iz.owak-kmyt.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215818/; classtype:trojan-activity;sid:81078918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/xstyler.exe"; http_uri; depth:12; isdataat:!1,relative; content:"oon.owak-kmyt.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215817/; classtype:trojan-activity;sid:81078917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windowsmediaplayer.exe"; http_uri; depth:23; isdataat:!1,relative; content:"rcy.owak-kmyt.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215816/; classtype:trojan-activity;sid:81078916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/protected.exe"; http_uri; depth:14; isdataat:!1,relative; content:"qfo.owak-kmyt.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215814/; classtype:trojan-activity;sid:81078914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/skldjksasjkhkhkjasljsd54s.exe"; http_uri; depth:30; isdataat:!1,relative; content:"iz.owak-kmyt.ru"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215813/; classtype:trojan-activity;sid:81078913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/build2.exe"; http_uri; depth:11; isdataat:!1,relative; content:"qfo.owak-kmyt.ru"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215812/; classtype:trojan-activity;sid:81078912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.mips"; http_uri; depth:15; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215811/; classtype:trojan-activity;sid:81078911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.sh4"; http_uri; depth:14; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215810/; classtype:trojan-activity;sid:81078910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.ppc"; http_uri; depth:14; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215809/; classtype:trojan-activity;sid:81078909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/themes/trendystuff/addons/flickr/1c.jpg"; http_uri; depth:51; isdataat:!1,relative; content:"www.irnberger.co.at"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215808/; classtype:trojan-activity;sid:81078908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/gmp/xce/revised.exe"; http_uri; depth:20; isdataat:!1,relative; content:"www.renu-bansal.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215806/; classtype:trojan-activity;sid:81078906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm5"; http_uri; depth:15; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215805/; classtype:trojan-activity;sid:81078905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.m68k"; http_uri; depth:15; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215804/; classtype:trojan-activity;sid:81078904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm7"; http_uri; depth:15; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215803/; classtype:trojan-activity;sid:81078903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm"; http_uri; depth:14; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215802/; classtype:trojan-activity;sid:81078902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.arm6"; http_uri; depth:15; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215801/; classtype:trojan-activity;sid:81078901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tm-645wrteb.exe"; http_uri; depth:16; isdataat:!1,relative; content:"shopcrowdfund.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215800/; classtype:trojan-activity;sid:81078900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/protectedfile.exe"; http_uri; depth:18; isdataat:!1,relative; content:"shopcrowdfund.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215799/; classtype:trojan-activity;sid:81078899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/new%20tender.jpg"; http_uri; depth:17; isdataat:!1,relative; content:"shopcrowdfund.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215798/; classtype:trojan-activity;sid:81078898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/orders.exe"; http_uri; depth:11; isdataat:!1,relative; content:"84.38.129.101"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215797/; classtype:trojan-activity;sid:81078897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/yesjhsk.fdg"; http_uri; depth:12; isdataat:!1,relative; content:"canadabestonline.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215795/; classtype:trojan-activity;sid:81078895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.x86"; http_uri; depth:14; isdataat:!1,relative; content:"45.80.37.152"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215794/; classtype:trojan-activity;sid:81078894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-admin/ned59.exe"; http_uri; depth:19; isdataat:!1,relative; content:"resepbelajar.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215793/; classtype:trojan-activity;sid:81078893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bash"; http_uri; depth:5; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215792/; classtype:trojan-activity;sid:81078892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh"; http_uri; depth:3; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215791/; classtype:trojan-activity;sid:81078891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cron"; http_uri; depth:5; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215790/; classtype:trojan-activity;sid:81078890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pftp"; http_uri; depth:5; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215789/; classtype:trojan-activity;sid:81078889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wget"; http_uri; depth:5; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215788/; classtype:trojan-activity;sid:81078888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/openssh"; http_uri; depth:8; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215787/; classtype:trojan-activity;sid:81078887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/apache2"; http_uri; depth:8; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215786/; classtype:trojan-activity;sid:81078886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tftp"; http_uri; depth:5; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215785/; classtype:trojan-activity;sid:81078885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sshd"; http_uri; depth:5; isdataat:!1,relative; content:"192.241.158.242"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_09; reference:url, urlhaus.abuse.ch/url/215784/; classtype:trojan-activity;sid:81078884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/newvirus.exe"; http_uri; depth:13; isdataat:!1,relative; content:"belluccikya.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215783/; classtype:trojan-activity;sid:81078883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/page/bab.exe"; http_uri; depth:13; isdataat:!1,relative; content:"jearchitectural-barnsley.co.uk"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215782/; classtype:trojan-activity;sid:81078882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.arm6"; http_uri; depth:10; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215781/; classtype:trojan-activity;sid:81078881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.arm7"; http_uri; depth:10; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215780/; classtype:trojan-activity;sid:81078880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.mpsl"; http_uri; depth:10; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215779/; classtype:trojan-activity;sid:81078879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.spc"; http_uri; depth:9; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215778/; classtype:trojan-activity;sid:81078878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.ppc"; http_uri; depth:9; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215777/; classtype:trojan-activity;sid:81078877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.arm4"; http_uri; depth:10; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215776/; classtype:trojan-activity;sid:81078876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.m68"; http_uri; depth:9; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215775/; classtype:trojan-activity;sid:81078875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.mips"; http_uri; depth:10; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215774/; classtype:trojan-activity;sid:81078874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.arm5"; http_uri; depth:10; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215773/; classtype:trojan-activity;sid:81078873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.mips64"; http_uri; depth:12; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215772/; classtype:trojan-activity;sid:81078872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.sh4"; http_uri; depth:9; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215771/; classtype:trojan-activity;sid:81078871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.arm4t"; http_uri; depth:11; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215770/; classtype:trojan-activity;sid:81078870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.i686"; http_uri; depth:10; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215769/; classtype:trojan-activity;sid:81078869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/woah.x86"; http_uri; depth:9; isdataat:!1,relative; content:"94.140.125.9"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215768/; classtype:trojan-activity;sid:81078868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.sh4"; http_uri; depth:18; isdataat:!1,relative; content:"146.71.76.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215766/; classtype:trojan-activity;sid:81078866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.ppc"; http_uri; depth:18; isdataat:!1,relative; content:"146.71.76.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215765/; classtype:trojan-activity;sid:81078865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm5"; http_uri; depth:19; isdataat:!1,relative; content:"146.71.76.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215764/; classtype:trojan-activity;sid:81078864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.x86"; http_uri; depth:18; isdataat:!1,relative; content:"146.71.76.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215763/; classtype:trojan-activity;sid:81078863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.m68k"; http_uri; depth:19; isdataat:!1,relative; content:"146.71.76.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215762/; classtype:trojan-activity;sid:81078862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.mips"; http_uri; depth:19; isdataat:!1,relative; content:"146.71.76.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215761/; classtype:trojan-activity;sid:81078861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"105.225.147.157"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215760/; classtype:trojan-activity;sid:81078860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/payments.doc"; http_uri; depth:13; isdataat:!1,relative; content:"fpayyhh.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215758/; classtype:trojan-activity;sid:81078858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pent.exe"; http_uri; depth:9; isdataat:!1,relative; content:"fpayyhh.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215757/; classtype:trojan-activity;sid:81078857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/hefts.exe"; http_uri; depth:10; isdataat:!1,relative; content:"fpayyhh.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215756/; classtype:trojan-activity;sid:81078856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pandoras_box/pandora.m68k"; http_uri; depth:26; isdataat:!1,relative; content:"51.38.71.70"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215755/; classtype:trojan-activity;sid:81078855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm6"; http_uri; depth:19; isdataat:!1,relative; content:"146.71.76.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215754/; classtype:trojan-activity;sid:81078854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/unhanaaw.arm"; http_uri; depth:18; isdataat:!1,relative; content:"146.71.76.191"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215752/; classtype:trojan-activity;sid:81078852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/mpsl"; http_uri; depth:10; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215751/; classtype:trojan-activity;sid:81078851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/ppc"; http_uri; depth:9; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215750/; classtype:trojan-activity;sid:81078850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/mips"; http_uri; depth:10; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215749/; classtype:trojan-activity;sid:81078849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm5"; http_uri; depth:10; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215748/; classtype:trojan-activity;sid:81078848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/m68k"; http_uri; depth:10; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215747/; classtype:trojan-activity;sid:81078847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm6"; http_uri; depth:10; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215745/; classtype:trojan-activity;sid:81078845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/arm7"; http_uri; depth:10; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215746/; classtype:trojan-activity;sid:81078846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/x86"; http_uri; depth:9; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215744/; classtype:trojan-activity;sid:81078844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/sh4"; http_uri; depth:9; isdataat:!1,relative; content:"103.83.157.46"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215743/; classtype:trojan-activity;sid:81078843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/shedy.exe"; http_uri; depth:10; isdataat:!1,relative; content:"johnwillison210.5gbfree.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215742/; classtype:trojan-activity;sid:81078842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/cache/meta/1c.jpg"; http_uri; depth:29; isdataat:!1,relative; content:"allhouseappliances.com"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215741/; classtype:trojan-activity;sid:81078841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/shedy.exe"; http_uri; depth:10; isdataat:!1,relative; content:"john12321.5gbfree.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215740/; classtype:trojan-activity;sid:81078840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/5aue+5zd3ry71wxskmvxtw==1989670"; http_uri; depth:32; isdataat:!1,relative; content:"wikifoundryattachments.com"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215739/; classtype:trojan-activity;sid:81078839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/point.exe"; http_uri; depth:10; isdataat:!1,relative; content:"maxzi.5gbfree.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215738/; classtype:trojan-activity;sid:81078838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/tests/billy.exe"; http_uri; depth:16; isdataat:!1,relative; content:"smartbeachphuket.com"; http_host; depth:20; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215737/; classtype:trojan-activity;sid:81078837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/av/bi.hta"; http_uri; depth:10; isdataat:!1,relative; content:"netlux.in"; http_host; depth:9; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215736/; classtype:trojan-activity;sid:81078836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/trablon.png"; http_uri; depth:12; isdataat:!1,relative; content:"46.30.42.193"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215733/; classtype:trojan-activity;sid:81078833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/samagden.png"; http_uri; depth:13; isdataat:!1,relative; content:"46.30.42.193"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215732/; classtype:trojan-activity;sid:81078832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/.i"; http_uri; depth:3; isdataat:!1,relative; content:"91.138.236.163"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215731/; classtype:trojan-activity;sid:81078831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/site/wp-admin/chrome.bin"; http_uri; depth:25; isdataat:!1,relative; content:"carmelavalles.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215730/; classtype:trojan-activity;sid:81078830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/purple.exe"; http_uri; depth:11; isdataat:!1,relative; content:"johnwillison210.5gbfree.com"; http_host; depth:27; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215729/; classtype:trojan-activity;sid:81078829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/_output2360530.exe"; http_uri; depth:19; isdataat:!1,relative; content:"cnn.datapath-uk.cf"; http_host; depth:18; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215728/; classtype:trojan-activity;sid:81078828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/bins/hoho.x86"; http_uri; depth:14; isdataat:!1,relative; content:"159.203.63.197"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215727/; classtype:trojan-activity;sid:81078827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/vrn/emma.exe"; http_uri; depth:32; isdataat:!1,relative; content:"spadnb.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215726/; classtype:trojan-activity;sid:81078826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/benu4.exe"; http_uri; depth:16; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215725/; classtype:trojan-activity;sid:81078825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/downloads/inlogoptimizer_n1p3.exe"; http_uri; depth:34; isdataat:!1,relative; content:"inlog-optimizer.com"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215723/; classtype:trojan-activity;sid:81078823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/f1cbd6d256b0ffa7bd925ef64/files/579310f6-595b-464e-af0b-aa078fb96023/38298999_9399.zip"; http_uri; depth:87; isdataat:!1,relative; content:"gallery.mailchimp.com"; http_host; depth:21; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215724/; classtype:trojan-activity;sid:81078824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/s/22lmr8oah8sfv2a/pds_productdatasheetjc%20s515_530_rev.10-page-001.docdl=1"; http_uri; depth:76; isdataat:!1,relative; content:"www.dropbox.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215722/; classtype:trojan-activity;sid:81078822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/s/22lmr8oah8sfv2a/pds_productdatasheetjcs515_530_rev.10-page-001.docdl=1"; http_uri; depth:73; isdataat:!1,relative; content:"www.dropbox.com"; http_host; depth:15; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215721/; classtype:trojan-activity;sid:81078821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/windis453gfd_signed.exe"; http_uri; depth:24; isdataat:!1,relative; content:"ksjd123213gfksdj23f.ru"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215720/; classtype:trojan-activity;sid:81078820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/downloads/inlogoptimizer_n1p3.exe"; http_uri; depth:34; isdataat:!1,relative; content:"www.inlog-optimizer.com"; http_host; depth:23; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215719/; classtype:trojan-activity;sid:81078819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/plugins/vrn/kings.exe"; http_uri; depth:33; isdataat:!1,relative; content:"spadnb.com"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215718/; classtype:trojan-activity;sid:81078818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/data.php"; http_uri; depth:9; isdataat:!1,relative; content:"www.diamond-handyman.co.uk"; http_host; depth:26; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215717/; classtype:trojan-activity;sid:81078817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/bobnow.exe"; http_uri; depth:17; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215716/; classtype:trojan-activity;sid:81078816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/ifyraw.exe"; http_uri; depth:17; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215715/; classtype:trojan-activity;sid:81078815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/admin/ifynow.exe"; http_uri; depth:17; isdataat:!1,relative; content:"mimiplace.top"; http_host; depth:13; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215713/; classtype:trojan-activity;sid:81078813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/99/708165"; http_uri; depth:10; isdataat:!1,relative; content:"5.56.133.137"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215711/; classtype:trojan-activity;sid:81078811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dn.exe"; http_uri; depth:7; isdataat:!1,relative; content:"don.viameventos.com.br"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215710/; classtype:trojan-activity;sid:81078810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/page/kok.exe"; http_uri; depth:13; isdataat:!1,relative; content:"jearchitectural-barnsley.co.uk"; http_host; depth:30; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215709/; classtype:trojan-activity;sid:81078809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/dllsvr2.exe"; http_uri; depth:12; isdataat:!1,relative; content:"ec2-3-83-64-249.azurewebsites.net"; http_host; depth:33; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215707/; classtype:trojan-activity;sid:81078807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/d6aa22f3e487/a4sanqf6wu"; http_uri; depth:24; isdataat:!1,relative; content:"mailchi.mp"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215706/; classtype:trojan-activity;sid:81078806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pagesu=cd5e2bf0aa684eff0aeb54377|26|id=030032cee1f0"; http_uri; depth:52; isdataat:!1,relative; content:"us15.campaign-archive.com"; http_host; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215705/; classtype:trojan-activity;sid:81078805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/pagesu=035496fc182d3cf5353219b28|26|id=03009ec6e1f0"; http_uri; depth:52; isdataat:!1,relative; content:"us2.campaign-archive.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215704/; classtype:trojan-activity;sid:81078804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/data.php"; http_uri; depth:9; isdataat:!1,relative; content:"www.digitalhearinguk.com"; http_host; depth:24; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215702/; classtype:trojan-activity;sid:81078802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/revisionoutdoor/9aezxs0orp"; http_uri; depth:27; isdataat:!1,relative; content:"mailchi.mp"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215703/; classtype:trojan-activity;sid:81078803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/74_8_839.php"; http_uri; depth:13; isdataat:!1,relative; content:"www.collected.photo"; http_host; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215701/; classtype:trojan-activity;sid:81078801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/rocket.php"; http_uri; depth:11; isdataat:!1,relative; content:"www.190518.co.uk"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215700/; classtype:trojan-activity;sid:81078800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/data.php"; http_uri; depth:9; isdataat:!1,relative; content:"www.corpopalo.com"; http_host; depth:17; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215699/; classtype:trojan-activity;sid:81078799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.arm"; http_uri; depth:18; isdataat:!1,relative; content:"178.62.36.58"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215696/; classtype:trojan-activity;sid:81078796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.arm7"; http_uri; depth:19; isdataat:!1,relative; content:"178.62.36.58"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215695/; classtype:trojan-activity;sid:81078795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.sh4"; http_uri; depth:18; isdataat:!1,relative; content:"178.62.36.58"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215698/; classtype:trojan-activity;sid:81078798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.x86"; http_uri; depth:18; isdataat:!1,relative; content:"178.62.36.58"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215697/; classtype:trojan-activity;sid:81078797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/fontandcolor.php"; http_uri; depth:17; isdataat:!1,relative; content:"chiliol.com"; http_host; depth:11; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215694/; classtype:trojan-activity;sid:81078794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/binarys/owari.mips"; http_uri; depth:19; isdataat:!1,relative; content:"178.62.36.58"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215693/; classtype:trojan-activity;sid:81078793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/m68k"; http_uri; depth:5; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215692/; classtype:trojan-activity;sid:81078792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv5l"; http_uri; depth:7; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215689/; classtype:trojan-activity;sid:81078789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mips"; http_uri; depth:5; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215690/; classtype:trojan-activity;sid:81078790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/powerpc"; http_uri; depth:8; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215691/; classtype:trojan-activity;sid:81078791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv6l"; http_uri; depth:7; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215686/; classtype:trojan-activity;sid:81078786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i586"; http_uri; depth:5; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215688/; classtype:trojan-activity;sid:81078788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/i686"; http_uri; depth:5; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215684/; classtype:trojan-activity;sid:81078784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sparc"; http_uri; depth:6; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215687/; classtype:trojan-activity;sid:81078787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/x86"; http_uri; depth:4; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215685/; classtype:trojan-activity;sid:81078785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv4l"; http_uri; depth:7; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215681/; classtype:trojan-activity;sid:81078781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/armv7l"; http_uri; depth:7; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215680/; classtype:trojan-activity;sid:81078780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/mipsel"; http_uri; depth:7; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215683/; classtype:trojan-activity;sid:81078783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/sh4"; http_uri; depth:4; isdataat:!1,relative; content:"198.199.73.140"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215682/; classtype:trojan-activity;sid:81078782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/publickprivate.php"; http_uri; depth:19; isdataat:!1,relative; content:"ai4.health"; http_host; depth:10; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215679/; classtype:trojan-activity;sid:81078779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/smartobject.php"; http_uri; depth:16; isdataat:!1,relative; content:"www.buzznaka.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215678/; classtype:trojan-activity;sid:81078778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9i686"; http_uri; depth:8; isdataat:!1,relative; content:"167.71.184.8"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215677/; classtype:trojan-activity;sid:81078777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9dss"; http_uri; depth:7; isdataat:!1,relative; content:"167.71.184.8"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215676/; classtype:trojan-activity;sid:81078776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9sh4"; http_uri; depth:7; isdataat:!1,relative; content:"167.71.184.8"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215675/; classtype:trojan-activity;sid:81078775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/cc9x86"; http_uri; depth:7; isdataat:!1,relative; content:"167.71.184.8"; http_host; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_08; reference:url, urlhaus.abuse.ch/url/215674/; classtype:trojan-activity;sid:81078774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware do