################################################################ # abuse.ch URLhaus IDS ruleset (Suricata only) # # Last updated: 2021-04-12 18:52:18 (UTC) # # # # Terms Of Use: https://urlhaus.abuse.ch/api/ # # For questions please contact urlhaus [at] abuse.ch # ################################################################ # # url alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.56.208"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107651/; classtype:trojan-activity;sid:81970751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=17kepcdx5mbqd1cgjfvk0hzrhwgl7kmyz"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107645/; classtype:trojan-activity;sid:81970745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1qetrta21jzlpamtuguhjei2g9pqp7sve"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107643/; classtype:trojan-activity;sid:81970743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1qc8jluclmmm2pkezurtk8yujfie4yptf"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107644/; classtype:trojan-activity;sid:81970744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.49.205"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107641/; classtype:trojan-activity;sid:81970741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.56.208"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107640/; classtype:trojan-activity;sid:81970740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.102.219.253"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107639/; classtype:trojan-activity;sid:81970739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.110.89"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107638/; classtype:trojan-activity;sid:81970738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.242.89.51"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107637/; classtype:trojan-activity;sid:81970737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.171.45"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107636/; classtype:trojan-activity;sid:81970736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.193.91.205"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107635/; classtype:trojan-activity;sid:81970735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.31.194"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107634/; classtype:trojan-activity;sid:81970734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.27.91.247"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107633/; classtype:trojan-activity;sid:81970733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.110.37"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107630/; classtype:trojan-activity;sid:81970730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.94.182.232"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107629/; classtype:trojan-activity;sid:81970729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.31.84"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107628/; classtype:trojan-activity;sid:81970728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.97.195.239"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107626/; classtype:trojan-activity;sid:81970726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"39.66.86.75"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107623/; classtype:trojan-activity;sid:81970723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.95.83.98"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107624/; classtype:trojan-activity;sid:81970724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.242.210.90"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107625/; classtype:trojan-activity;sid:81970725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.216.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107621/; classtype:trojan-activity;sid:81970721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"221.15.145.13"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107617/; classtype:trojan-activity;sid:81970717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.32.121"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107618/; classtype:trojan-activity;sid:81970718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.48.206"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107619/; classtype:trojan-activity;sid:81970719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.176.110.108"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107620/; classtype:trojan-activity;sid:81970720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.36.0"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107613/; classtype:trojan-activity;sid:81970713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.138.96.40"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107614/; classtype:trojan-activity;sid:81970714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.213.41.253"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107615/; classtype:trojan-activity;sid:81970715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.116.129.150"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107616/; classtype:trojan-activity;sid:81970716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.25.30"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107612/; classtype:trojan-activity;sid:81970712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.237.125.4"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107611/; classtype:trojan-activity;sid:81970711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.73.21"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107610/; classtype:trojan-activity;sid:81970710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.102.219.253"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107609/; classtype:trojan-activity;sid:81970709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.64.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107608/; classtype:trojan-activity;sid:81970708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skptourandtravels.co.in/wp-includes/simplepie/xml/declaration/u3ahwaweza.php"; depth:77; endswith; nocase; http.host; content:"tdejob.work"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107605/; classtype:trojan-activity;sid:81970705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.2.233"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107601/; classtype:trojan-activity;sid:81970701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.113.192"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107600/; classtype:trojan-activity;sid:81970700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.110.37"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107599/; classtype:trojan-activity;sid:81970699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.27.80.98"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107598/; classtype:trojan-activity;sid:81970698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.41.182"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107597/; classtype:trojan-activity;sid:81970697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.187.188"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107596/; classtype:trojan-activity;sid:81970696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.2.28"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107595/; classtype:trojan-activity;sid:81970695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/axqdjyx8"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107593/; classtype:trojan-activity;sid:81970693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.64.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107591/; classtype:trojan-activity;sid:81970691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.2.233"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107592/; classtype:trojan-activity;sid:81970692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.240.111"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107590/; classtype:trojan-activity;sid:81970690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.176.109.196"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107589/; classtype:trojan-activity;sid:81970689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/files/m169.dll"; depth:23; endswith; nocase; http.host; content:"each1.xyz"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107587/; classtype:trojan-activity;sid:81970687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.7.15"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107586/; classtype:trojan-activity;sid:81970686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.28.71"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107585/; classtype:trojan-activity;sid:81970685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=5c3d9ca9cf0f517d|7c|26|7c|resid=5c3d9ca9cf0f517d%21342|7c|26|7c|authkey=abgqe_hamgmbmay"; depth:104; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107582/; classtype:trojan-activity;sid:81970682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=4f1922824b1506b2|7c|26|7c|resid=4f1922824b1506b2%21107|7c|26|7c|authkey=abar0oascbdhfyc"; depth:104; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107580/; classtype:trojan-activity;sid:81970680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2rvqutix85lv.php"; depth:17; endswith; nocase; http.host; content:"automanic.tdejob.work"; depth:21; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107581/; classtype:trojan-activity;sid:81970681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=15d9646f4dbf9553|7c|26|7c|resid=15d9646f4dbf9553%21111|7c|26|7c|authkey=aponywvf7stnjky"; depth:104; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107579/; classtype:trojan-activity;sid:81970679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/e9x6fccheabqftt"; depth:23; endswith; nocase; http.host; content:"tds.com.pk"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107577/; classtype:trojan-activity;sid:81970677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4plhl9hmopou"; depth:13; endswith; nocase; http.host; content:"automanic.tdejob.work"; depth:21; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107568/; classtype:trojan-activity;sid:81970668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e0mcr45lmv"; depth:11; endswith; nocase; http.host; content:"automanic.tdejob.work"; depth:21; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107569/; classtype:trojan-activity;sid:81970669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/jlmxqgo0.php"; depth:20; endswith; nocase; http.host; content:"tds.com.pk"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107570/; classtype:trojan-activity;sid:81970670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=15d9646f4dbf9553|7c|26|7c|resid=15d9646f4dbf9553%21113|7c|26|7c|authkey=alhyv0eqyfvgwzs"; depth:104; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107572/; classtype:trojan-activity;sid:81970672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.187.188"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107566/; classtype:trojan-activity;sid:81970666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.240.111"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107567/; classtype:trojan-activity;sid:81970667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.21.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107565/; classtype:trojan-activity;sid:81970665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.36.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107564/; classtype:trojan-activity;sid:81970664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"24.10.121.183"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107563/; classtype:trojan-activity;sid:81970663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.124.50"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107562/; classtype:trojan-activity;sid:81970662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.170.197"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107561/; classtype:trojan-activity;sid:81970661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.2.28"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107560/; classtype:trojan-activity;sid:81970660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.24.30.208"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107559/; classtype:trojan-activity;sid:81970659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.38.123.23"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107558/; classtype:trojan-activity;sid:81970658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.166.38.88"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107557/; classtype:trojan-activity;sid:81970657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.108.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107556/; classtype:trojan-activity;sid:81970656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.113.192"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107555/; classtype:trojan-activity;sid:81970655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.31.189"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107554/; classtype:trojan-activity;sid:81970654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.96.38.150"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107553/; classtype:trojan-activity;sid:81970653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.14.87"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107552/; classtype:trojan-activity;sid:81970652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.21.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107551/; classtype:trojan-activity;sid:81970651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.253.50.223"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107550/; classtype:trojan-activity;sid:81970650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.124.104.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107549/; classtype:trojan-activity;sid:81970649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/x86"; depth:8; endswith; nocase; http.host; content:"108.174.60.4"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107546/; classtype:trojan-activity;sid:81970646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/ppc"; depth:8; endswith; nocase; http.host; content:"108.174.60.4"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107547/; classtype:trojan-activity;sid:81970647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/mpsl"; depth:9; endswith; nocase; http.host; content:"108.174.60.4"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107544/; classtype:trojan-activity;sid:81970644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/mips"; depth:9; endswith; nocase; http.host; content:"108.174.60.4"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107543/; classtype:trojan-activity;sid:81970643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/arm6"; depth:9; endswith; nocase; http.host; content:"108.174.60.4"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107541/; classtype:trojan-activity;sid:81970641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/arm"; depth:8; endswith; nocase; http.host; content:"108.174.60.4"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107542/; classtype:trojan-activity;sid:81970642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.184.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107540/; classtype:trojan-activity;sid:81970640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.40.108"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107539/; classtype:trojan-activity;sid:81970639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.115.77"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107538/; classtype:trojan-activity;sid:81970638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.24.30.208"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107537/; classtype:trojan-activity;sid:81970637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.14.87"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107532/; classtype:trojan-activity;sid:81970632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.253.50.223"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107531/; classtype:trojan-activity;sid:81970631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.241.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107530/; classtype:trojan-activity;sid:81970630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.184.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107529/; classtype:trojan-activity;sid:81970629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.9.169"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107528/; classtype:trojan-activity;sid:81970628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.124.32"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107527/; classtype:trojan-activity;sid:81970627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.97.33"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107526/; classtype:trojan-activity;sid:81970626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.122.216"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107525/; classtype:trojan-activity;sid:81970625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.115.104"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107524/; classtype:trojan-activity;sid:81970624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.40.108"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107523/; classtype:trojan-activity;sid:81970623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.49.232"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107522/; classtype:trojan-activity;sid:81970622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.124.104.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107521/; classtype:trojan-activity;sid:81970621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.122.216"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107520/; classtype:trojan-activity;sid:81970620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/demonishrana/template-parts/footer/oumiz0qdgrvz.php"; depth:70; endswith; nocase; http.host; content:"kplmrdentalcare.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107518/; classtype:trojan-activity;sid:81970618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/demonishrana/template-parts/footer/bxlobcn5njtwjt.php"; depth:72; endswith; nocase; http.host; content:"kplmrdentalcare.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107519/; classtype:trojan-activity;sid:81970619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.124.50"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107516/; classtype:trojan-activity;sid:81970616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.97.33"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107514/; classtype:trojan-activity;sid:81970614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.124.32"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107512/; classtype:trojan-activity;sid:81970612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.110.58"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107511/; classtype:trojan-activity;sid:81970611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.104.192"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107510/; classtype:trojan-activity;sid:81970610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.44.64"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107509/; classtype:trojan-activity;sid:81970609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.109.109"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107507/; classtype:trojan-activity;sid:81970607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hd/vbc.exe"; depth:11; endswith; nocase; http.host; content:"23.95.122.25"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107506/; classtype:trojan-activity;sid:81970606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.76.8"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107505/; classtype:trojan-activity;sid:81970605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-includes/js/tinymce/langs/bofu5b4bhl.php"; depth:47; endswith; nocase; http.host; content:"acssistemas.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107497/; classtype:trojan-activity;sid:81970597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ykhyvzqkmp7gzj.php"; depth:19; endswith; nocase; http.host; content:"m3mfashions.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107499/; classtype:trojan-activity;sid:81970599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/demonishrana/template-parts/footer/d1kzqnurzgy.php"; depth:69; endswith; nocase; http.host; content:"kplmrdentalcare.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107502/; classtype:trojan-activity;sid:81970602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.78.3"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107495/; classtype:trojan-activity;sid:81970595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.24.9"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107493/; classtype:trojan-activity;sid:81970593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.38.104.165"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107492/; classtype:trojan-activity;sid:81970592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.31.8.192"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107484/; classtype:trojan-activity;sid:81970584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.30.1.157"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107483/; classtype:trojan-activity;sid:81970583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.252.176.244"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107480/; classtype:trojan-activity;sid:81970580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.248.144.201"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107481/; classtype:trojan-activity;sid:81970581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.118.45"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107482/; classtype:trojan-activity;sid:81970582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.115.172.219"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107479/; classtype:trojan-activity;sid:81970579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"39.86.19.114"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107474/; classtype:trojan-activity;sid:81970574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.249.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107475/; classtype:trojan-activity;sid:81970575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.86.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107476/; classtype:trojan-activity;sid:81970576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.72.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107472/; classtype:trojan-activity;sid:81970572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.104.192"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107470/; classtype:trojan-activity;sid:81970570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.93.246"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107469/; classtype:trojan-activity;sid:81970569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.43.12"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107468/; classtype:trojan-activity;sid:81970568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.90.195"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107467/; classtype:trojan-activity;sid:81970567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.9.169"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107466/; classtype:trojan-activity;sid:81970566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"181.54.151.131"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107465/; classtype:trojan-activity;sid:81970565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.109.109"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107464/; classtype:trojan-activity;sid:81970564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.114.202"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107463/; classtype:trojan-activity;sid:81970563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.126.102"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107461/; classtype:trojan-activity;sid:81970561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.85.190"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107460/; classtype:trojan-activity;sid:81970560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.spc"; depth:21; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107457/; classtype:trojan-activity;sid:81970557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.194.9"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107456/; classtype:trojan-activity;sid:81970556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.222.174.170"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107454/; classtype:trojan-activity;sid:81970554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.43.12"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107455/; classtype:trojan-activity;sid:81970555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.91.35"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107453/; classtype:trojan-activity;sid:81970553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.53.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107451/; classtype:trojan-activity;sid:81970551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.72.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107450/; classtype:trojan-activity;sid:81970550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.63.26"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107449/; classtype:trojan-activity;sid:81970549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.185.138"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107447/; classtype:trojan-activity;sid:81970547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.88.20"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107446/; classtype:trojan-activity;sid:81970546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.62.206"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107445/; classtype:trojan-activity;sid:81970545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.72.194"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107444/; classtype:trojan-activity;sid:81970544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.21.146.170"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107443/; classtype:trojan-activity;sid:81970543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.96.120"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107442/; classtype:trojan-activity;sid:81970542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.63.26"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107437/; classtype:trojan-activity;sid:81970537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drms/ex.html"; depth:13; endswith; nocase; http.host; content:"mississippifloodinsurance.org"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107438/; classtype:trojan-activity;sid:81970538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1asctw0yh64mag2i0qcwtge9kd56hlqe5"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107435/; classtype:trojan-activity;sid:81970535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_qmvw07oou3slok0vfqfbkywoop_q7wc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107436/; classtype:trojan-activity;sid:81970536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1lc6rguz70kdiuj6kxfbnx61m5g1t9lqx"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107433/; classtype:trojan-activity;sid:81970533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=13zh46e3gipyucrrjh8ndfgmyrohncdj6"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107434/; classtype:trojan-activity;sid:81970534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1deqyypcakasfe964ogpksyabfi564ecb"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107430/; classtype:trojan-activity;sid:81970530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=18_v5vinqspd5jk-0fee8wrsl2zwuu1h-"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107431/; classtype:trojan-activity;sid:81970531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1drlrdvmt1qyxqkbdvbkwq4v7dv2dvlwr"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107432/; classtype:trojan-activity;sid:81970532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.53.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107427/; classtype:trojan-activity;sid:81970527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.arm6"; depth:22; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107425/; classtype:trojan-activity;sid:81970525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.arm"; depth:21; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107426/; classtype:trojan-activity;sid:81970526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.m68k"; depth:22; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107423/; classtype:trojan-activity;sid:81970523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.sh4"; depth:21; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107424/; classtype:trojan-activity;sid:81970524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.arm5"; depth:22; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107417/; classtype:trojan-activity;sid:81970517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.ppc"; depth:21; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107418/; classtype:trojan-activity;sid:81970518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.mpsl"; depth:22; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107419/; classtype:trojan-activity;sid:81970519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.mips"; depth:22; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107420/; classtype:trojan-activity;sid:81970520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.x86"; depth:21; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107421/; classtype:trojan-activity;sid:81970521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.arm7"; depth:22; endswith; nocase; http.host; content:"45.95.169.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107422/; classtype:trojan-activity;sid:81970522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.72.194"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107416/; classtype:trojan-activity;sid:81970516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.180.68.229"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107409/; classtype:trojan-activity;sid:81970509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.81.147"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107408/; classtype:trojan-activity;sid:81970508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.72.238"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107407/; classtype:trojan-activity;sid:81970507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.99.16"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107406/; classtype:trojan-activity;sid:81970506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.27.124.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107405/; classtype:trojan-activity;sid:81970505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"174.96.30.156"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107403/; classtype:trojan-activity;sid:81970503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winme/oregs.exe"; depth:16; endswith; nocase; http.host; content:"3.125.17.227"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107398/; classtype:trojan-activity;sid:81970498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winme/oregs-0.exe"; depth:18; endswith; nocase; http.host; content:"3.125.17.227"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107399/; classtype:trojan-activity;sid:81970499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winme/xles.exe"; depth:15; endswith; nocase; http.host; content:"3.125.17.227"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107400/; classtype:trojan-activity;sid:81970500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winme/xles-0.exe"; depth:17; endswith; nocase; http.host; content:"3.125.17.227"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107401/; classtype:trojan-activity;sid:81970501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vbn.exe"; depth:8; endswith; nocase; http.host; content:"198.23.207.96"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107397/; classtype:trojan-activity;sid:81970497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"173.220.222.227"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107396/; classtype:trojan-activity;sid:81970496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.85.76"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107395/; classtype:trojan-activity;sid:81970495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.99.16"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107393/; classtype:trojan-activity;sid:81970493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"195.5.3.162"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107391/; classtype:trojan-activity;sid:81970491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.94.89"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107390/; classtype:trojan-activity;sid:81970490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.65.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107385/; classtype:trojan-activity;sid:81970485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.85.76"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107386/; classtype:trojan-activity;sid:81970486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.105.67"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107384/; classtype:trojan-activity;sid:81970484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.58.130"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107383/; classtype:trojan-activity;sid:81970483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"45.61.139.84"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107381/; classtype:trojan-activity;sid:81970481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.61.139.84"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107382/; classtype:trojan-activity;sid:81970482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.53.227.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107380/; classtype:trojan-activity;sid:81970480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1louyuai9fqxmtt9rd_xruylzwk1riwmk"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107377/; classtype:trojan-activity;sid:81970477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1kb_73pai-r-9iqnhqps6n8cdampmxvtd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107375/; classtype:trojan-activity;sid:81970475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=15oztyabrkibvulchlm9fuv9fi1p1lvil"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107376/; classtype:trojan-activity;sid:81970476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1lzef38qzmaoifbtljc22gtqap-jd5vwk"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107374/; classtype:trojan-activity;sid:81970474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1muj8e8fjl0wmwsnqjqbvjhbe-wihyzif"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107373/; classtype:trojan-activity;sid:81970473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gyukfwod75utn5-kz1nxgpmcsrg9iyas"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107371/; classtype:trojan-activity;sid:81970471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=14nognwkplny6thejecwu4mgc0ytbsv3l"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107372/; classtype:trojan-activity;sid:81970472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1w_5d0uwrwuowqjmz7ld45fzupppspduk"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107370/; classtype:trojan-activity;sid:81970470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1aijybt0axkrq08fzv-fgzlsvynpfoa58"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107369/; classtype:trojan-activity;sid:81970469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin_ioxab78.bin"; depth:16; endswith; nocase; http.host; content:"103.141.138.118"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107368/; classtype:trojan-activity;sid:81970468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin_ioxab78.bin"; depth:16; endswith; nocase; http.host; content:"demo.sdssoftltd.co.uk"; depth:21; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107365/; classtype:trojan-activity;sid:81970465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1epolyfhtcoecrpmvv1ha8sh1dv8nuqwo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107366/; classtype:trojan-activity;sid:81970466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1rfqts0op-hx4lp5n__lxjg1qegtvkdm5"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107367/; classtype:trojan-activity;sid:81970467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1t2ac-2re-md2f_wokoueq7tn3lwls3iv"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107364/; classtype:trojan-activity;sid:81970464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1aeg9hbxzx3dnguoy0yrfyupqamn2ppwt"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107360/; classtype:trojan-activity;sid:81970460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1bo5xeo_pfrnp2sxhrrlu-up6ecri9cjw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107361/; classtype:trojan-activity;sid:81970461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1vdggbe4sj5jqmtyfsy0o5qij_todi1ei"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107362/; classtype:trojan-activity;sid:81970462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1evgv79jm2kha80e4t5kpprtqgh8glbyc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107363/; classtype:trojan-activity;sid:81970463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1c7wid0obwt92pjojjuy2uo8kgpf3_dvc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107359/; classtype:trojan-activity;sid:81970459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documepnt/winlog.exe"; depth:21; endswith; nocase; http.host; content:"stdypmrimelimtewsosq.dns.army"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107358/; classtype:trojan-activity;sid:81970458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documenpt/svchost.exe"; depth:22; endswith; nocase; http.host; content:"surestdysbonescagecv.dns.army"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107357/; classtype:trojan-activity;sid:81970457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.65.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107356/; classtype:trojan-activity;sid:81970456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.5.40.6"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107353/; classtype:trojan-activity;sid:81970453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"171.38.219.235"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107351/; classtype:trojan-activity;sid:81970451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"115.55.214.227"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107352/; classtype:trojan-activity;sid:81970452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.10.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107346/; classtype:trojan-activity;sid:81970446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"27.45.39.29"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107347/; classtype:trojan-activity;sid:81970447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"118.168.129.142"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107349/; classtype:trojan-activity;sid:81970449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.63.133.251"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107332/; classtype:trojan-activity;sid:81970432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.232.197"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107330/; classtype:trojan-activity;sid:81970430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.72.220"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107328/; classtype:trojan-activity;sid:81970428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.88.123.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107329/; classtype:trojan-activity;sid:81970429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.5.189.15"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107324/; classtype:trojan-activity;sid:81970424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.127.207.187"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107326/; classtype:trojan-activity;sid:81970426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.235.84.85"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107319/; classtype:trojan-activity;sid:81970419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.58.130"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107320/; classtype:trojan-activity;sid:81970420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.233.97.141"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107318/; classtype:trojan-activity;sid:81970418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.249.22.24"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107317/; classtype:trojan-activity;sid:81970417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.247.201.45"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107316/; classtype:trojan-activity;sid:81970416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.51.117"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107314/; classtype:trojan-activity;sid:81970414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.113.171"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107313/; classtype:trojan-activity;sid:81970413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.48.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107310/; classtype:trojan-activity;sid:81970410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.224.171.165"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107304/; classtype:trojan-activity;sid:81970404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/..-.-................-.....-------------/.............................................................dot"; depth:106; endswith; nocase; http.host; content:"23.95.122.25"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107303/; classtype:trojan-activity;sid:81970403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.9.155.122"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107302/; classtype:trojan-activity;sid:81970402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"118.79.113.239"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107301/; classtype:trojan-activity;sid:81970401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h/vbc.exe"; depth:10; endswith; nocase; http.host; content:"23.95.122.25"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107298/; classtype:trojan-activity;sid:81970398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h/vbc.bk.exe"; depth:13; endswith; nocase; http.host; content:"23.95.122.25"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107300/; classtype:trojan-activity;sid:81970400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.49.104"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107296/; classtype:trojan-activity;sid:81970396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.222.173.91"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107297/; classtype:trojan-activity;sid:81970397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.31.216"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107295/; classtype:trojan-activity;sid:81970395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.88.228.152"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107294/; classtype:trojan-activity;sid:81970394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.51.117"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107293/; classtype:trojan-activity;sid:81970393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.242.19"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107291/; classtype:trojan-activity;sid:81970391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.214.53.159"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107288/; classtype:trojan-activity;sid:81970388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.48.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107287/; classtype:trojan-activity;sid:81970387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.47.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107285/; classtype:trojan-activity;sid:81970385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tk.exe"; depth:7; endswith; nocase; http.host; content:"101.99.91.200"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107286/; classtype:trojan-activity;sid:81970386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.47.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107284/; classtype:trojan-activity;sid:81970384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.113.171"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107282/; classtype:trojan-activity;sid:81970382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.22.198"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107280/; classtype:trojan-activity;sid:81970380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.16.224"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107279/; classtype:trojan-activity;sid:81970379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.91.81"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107277/; classtype:trojan-activity;sid:81970377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.31.216"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107275/; classtype:trojan-activity;sid:81970375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.89.195"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107273/; classtype:trojan-activity;sid:81970373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.88.228.152"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107272/; classtype:trojan-activity;sid:81970372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.62.130"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107271/; classtype:trojan-activity;sid:81970371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.103.14"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107270/; classtype:trojan-activity;sid:81970370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.254.220"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107268/; classtype:trojan-activity;sid:81970368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1604quas.exe"; depth:13; endswith; nocase; http.host; content:"45.77.9.151"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107267/; classtype:trojan-activity;sid:81970367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.22.198"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107266/; classtype:trojan-activity;sid:81970366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.36.120"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107265/; classtype:trojan-activity;sid:81970365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.232.197"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107263/; classtype:trojan-activity;sid:81970363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.54.78"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107262/; classtype:trojan-activity;sid:81970362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.100.104"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107261/; classtype:trojan-activity;sid:81970361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.27.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107260/; classtype:trojan-activity;sid:81970360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rrr.exe"; depth:8; endswith; nocase; http.host; content:"198.23.213.61"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107258/; classtype:trojan-activity;sid:81970358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.209.126.60"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107257/; classtype:trojan-activity;sid:81970357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.33.233"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107256/; classtype:trojan-activity;sid:81970356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.2.23"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107255/; classtype:trojan-activity;sid:81970355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.36.120"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107254/; classtype:trojan-activity;sid:81970354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.93.204"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107253/; classtype:trojan-activity;sid:81970353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.27.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107252/; classtype:trojan-activity;sid:81970352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.202.64.149"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107251/; classtype:trojan-activity;sid:81970351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.14.228"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107241/; classtype:trojan-activity;sid:81970341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.72.58"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107240/; classtype:trojan-activity;sid:81970340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.93.204"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107234/; classtype:trojan-activity;sid:81970334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.242.208.197"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107233/; classtype:trojan-activity;sid:81970333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"180.177.5.36"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107231/; classtype:trojan-activity;sid:81970331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.14.228"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107230/; classtype:trojan-activity;sid:81970330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.53.87"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107229/; classtype:trojan-activity;sid:81970329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.72.58"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107227/; classtype:trojan-activity;sid:81970327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.99.52.69"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107226/; classtype:trojan-activity;sid:81970326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.211.6.112"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107224/; classtype:trojan-activity;sid:81970324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downfiles/file.exe"; depth:19; endswith; nocase; http.host; content:"awuqze02.top"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107223/; classtype:trojan-activity;sid:81970323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.194.135.223"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107213/; classtype:trojan-activity;sid:81970313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"60.211.80.216"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107209/; classtype:trojan-activity;sid:81970309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.140.163.181"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107210/; classtype:trojan-activity;sid:81970310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.248.109.156"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107206/; classtype:trojan-activity;sid:81970306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.47.11"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107202/; classtype:trojan-activity;sid:81970302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.10.247"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107201/; classtype:trojan-activity;sid:81970301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.124.113"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107200/; classtype:trojan-activity;sid:81970300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.18.31"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107196/; classtype:trojan-activity;sid:81970296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"85.250.147.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107189/; classtype:trojan-activity;sid:81970289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p33.exe"; depth:8; endswith; nocase; http.host; content:"dl.pandasecur.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107188/; classtype:trojan-activity;sid:81970288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/probable.exe"; depth:13; endswith; nocase; http.host; content:"itsrlytry.000webhostapp.com"; depth:27; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107187/; classtype:trojan-activity;sid:81970287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.61.212"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107185/; classtype:trojan-activity;sid:81970285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.124.113"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107183/; classtype:trojan-activity;sid:81970283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.18.31"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107179/; classtype:trojan-activity;sid:81970279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.47.11"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107178/; classtype:trojan-activity;sid:81970278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"86.98.23.78"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107175/; classtype:trojan-activity;sid:81970275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documenzt/winlog.exe"; depth:21; endswith; nocase; http.host; content:"stdyzgchgcloudgostxs.dns.army"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107173/; classtype:trojan-activity;sid:81970273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.13.219"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107172/; classtype:trojan-activity;sid:81970272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.121.77"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107170/; classtype:trojan-activity;sid:81970270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.114.51"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107169/; classtype:trojan-activity;sid:81970269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.46.110"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107168/; classtype:trojan-activity;sid:81970268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.89.146.36"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107167/; classtype:trojan-activity;sid:81970267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.52.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107166/; classtype:trojan-activity;sid:81970266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1xbp7hvw2ybwjrftbvdkjvwzrfuk4ope9"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107161/; classtype:trojan-activity;sid:81970261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.91.243"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107160/; classtype:trojan-activity;sid:81970260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.194.162.12"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107159/; classtype:trojan-activity;sid:81970259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.13.219"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107150/; classtype:trojan-activity;sid:81970250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downfiles/lv.exe"; depth:17; endswith; nocase; http.host; content:"awumad01.top"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107145/; classtype:trojan-activity;sid:81970245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-6.8-k.ghoul"; depth:14; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107143/; classtype:trojan-activity;sid:81970243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-3.2-.ghoul"; depth:13; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107144/; classtype:trojan-activity;sid:81970244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s-h.4-.ghoul"; depth:13; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107137/; classtype:trojan-activity;sid:81970237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-7.ghoul"; depth:14; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107138/; classtype:trojan-activity;sid:81970238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p-p.c-.ghoul"; depth:13; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107139/; classtype:trojan-activity;sid:81970239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-i.p-s.ghoul"; depth:14; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107140/; classtype:trojan-activity;sid:81970240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-4.ghoul"; depth:14; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107141/; classtype:trojan-activity;sid:81970241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-5.8-6.ghoul"; depth:14; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107142/; classtype:trojan-activity;sid:81970242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-p.s-l.ghoul"; depth:14; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107135/; classtype:trojan-activity;sid:81970235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-6.ghoul"; depth:14; endswith; nocase; http.host; content:"143.198.120.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107136/; classtype:trojan-activity;sid:81970236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.209.126.25"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107133/; classtype:trojan-activity;sid:81970233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.46.110"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107131/; classtype:trojan-activity;sid:81970231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.91.243"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107130/; classtype:trojan-activity;sid:81970230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.arm6"; depth:11; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107129/; classtype:trojan-activity;sid:81970229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.sparc"; depth:12; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107124/; classtype:trojan-activity;sid:81970224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.ppc"; depth:10; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107125/; classtype:trojan-activity;sid:81970225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.m68k"; depth:11; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107126/; classtype:trojan-activity;sid:81970226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.i686"; depth:11; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107127/; classtype:trojan-activity;sid:81970227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.mips"; depth:11; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107128/; classtype:trojan-activity;sid:81970228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.arm5"; depth:11; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107123/; classtype:trojan-activity;sid:81970223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.i586"; depth:11; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107119/; classtype:trojan-activity;sid:81970219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.mpsl"; depth:11; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107120/; classtype:trojan-activity;sid:81970220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.sh4"; depth:10; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107121/; classtype:trojan-activity;sid:81970221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.arm4"; depth:11; endswith; nocase; http.host; content:"50.115.174.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107122/; classtype:trojan-activity;sid:81970222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.254.220"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107118/; classtype:trojan-activity;sid:81970218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.26.113"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107117/; classtype:trojan-activity;sid:81970217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.104.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107109/; classtype:trojan-activity;sid:81970209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/setup%20-%202021-04-09t114140.132.exe"; depth:44; endswith; nocase; http.host; content:"45.15.143.191"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107095/; classtype:trojan-activity;sid:81970195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/output(1).exe"; depth:20; endswith; nocase; http.host; content:"45.15.143.191"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107094/; classtype:trojan-activity;sid:81970194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/clean(1).exe"; depth:19; endswith; nocase; http.host; content:"45.15.143.191"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107093/; classtype:trojan-activity;sid:81970193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.89.146.36"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107092/; classtype:trojan-activity;sid:81970192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/integral.exe"; depth:19; endswith; nocase; http.host; content:"45.15.143.191"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107091/; classtype:trojan-activity;sid:81970191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.52.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107090/; classtype:trojan-activity;sid:81970190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/setupapp.exe"; depth:19; endswith; nocase; http.host; content:"45.15.143.191"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107089/; classtype:trojan-activity;sid:81970189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107088/; classtype:trojan-activity;sid:81970188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107086/; classtype:trojan-activity;sid:81970186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107087/; classtype:trojan-activity;sid:81970187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/c++%20dropper.exe"; depth:24; endswith; nocase; http.host; content:"45.15.143.191"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107085/; classtype:trojan-activity;sid:81970185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107077/; classtype:trojan-activity;sid:81970177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107078/; classtype:trojan-activity;sid:81970178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107079/; classtype:trojan-activity;sid:81970179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107080/; classtype:trojan-activity;sid:81970180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107081/; classtype:trojan-activity;sid:81970181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107082/; classtype:trojan-activity;sid:81970182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107083/; classtype:trojan-activity;sid:81970183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"162.245.221.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107084/; classtype:trojan-activity;sid:81970184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.79.27"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107076/; classtype:trojan-activity;sid:81970176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/setup(1).exe"; depth:19; endswith; nocase; http.host; content:"45.15.143.191"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107073/; classtype:trojan-activity;sid:81970173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.26.113"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107070/; classtype:trojan-activity;sid:81970170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prun.exe"; depth:9; endswith; nocase; http.host; content:"dl.pandasecur.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107069/; classtype:trojan-activity;sid:81970169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prun.exe"; depth:9; endswith; nocase; http.host; content:"secure.activedirect.xyz"; depth:23; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107056/; classtype:trojan-activity;sid:81970156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.18.177"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107055/; classtype:trojan-activity;sid:81970155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1dzx_cflers_zntlrip3fhbxb5who03u0"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107054/; classtype:trojan-activity;sid:81970154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agwondu.bin"; depth:12; endswith; nocase; http.host; content:"101.99.94.15"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107050/; classtype:trojan-activity;sid:81970150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ol/ol.bin"; depth:10; endswith; nocase; http.host; content:"mariotessarollo.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107051/; classtype:trojan-activity;sid:81970151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin_mkyekrjqjs250.bin"; depth:22; endswith; nocase; http.host; content:"101.99.94.15"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107049/; classtype:trojan-activity;sid:81970149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/appsetup.exe"; depth:13; endswith; nocase; http.host; content:"secure.activedirect.xyz"; depth:23; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107048/; classtype:trojan-activity;sid:81970148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clubhousedev/clubhouse/downloads/clubhousepc.exe"; depth:49; endswith; nocase; http.host; content:"bitbucket.org"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107045/; classtype:trojan-activity;sid:81970145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.39.110"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107044/; classtype:trojan-activity;sid:81970144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.18.177"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107043/; classtype:trojan-activity;sid:81970143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.79.27"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107042/; classtype:trojan-activity;sid:81970142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.122.197"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107041/; classtype:trojan-activity;sid:81970141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scan.exe"; depth:9; endswith; nocase; http.host; content:"101.99.91.200"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107039/; classtype:trojan-activity;sid:81970139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.7.9"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107038/; classtype:trojan-activity;sid:81970138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"187.135.141.192"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107036/; classtype:trojan-activity;sid:81970136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.200.137"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107035/; classtype:trojan-activity;sid:81970135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.14.95.26"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107026/; classtype:trojan-activity;sid:81970126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.249.77.141"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107025/; classtype:trojan-activity;sid:81970125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.95.83"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107024/; classtype:trojan-activity;sid:81970124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.222.189"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107020/; classtype:trojan-activity;sid:81970120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.227.225.253"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107021/; classtype:trojan-activity;sid:81970121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.121.205.246"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107019/; classtype:trojan-activity;sid:81970119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.21.53"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107014/; classtype:trojan-activity;sid:81970114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.194.131.72"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107015/; classtype:trojan-activity;sid:81970115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.27.43"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107017/; classtype:trojan-activity;sid:81970117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.39.110"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107013/; classtype:trojan-activity;sid:81970113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.127.204"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107009/; classtype:trojan-activity;sid:81970109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmxdoc/win32.exe"; depth:17; endswith; nocase; http.host; content:"stdynmxwllminoragest.dns.army"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107007/; classtype:trojan-activity;sid:81970107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.11.100"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107008/; classtype:trojan-activity;sid:81970108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documen1t/vbc.exe"; depth:18; endswith; nocase; http.host; content:"stdyunitedkesokokgst.dns.army"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107006/; classtype:trojan-activity;sid:81970106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/http/vbc.exe"; depth:13; endswith; nocase; http.host; content:"141.105.65.94"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107005/; classtype:trojan-activity;sid:81970105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receipnt/regasm.exe"; depth:20; endswith; nocase; http.host; content:"stdynbnbnewagedevixz.dns.army"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107002/; classtype:trojan-activity;sid:81970102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/findoc/svchost.exe"; depth:19; endswith; nocase; http.host; content:"stdyworkfinetraingst.dns.army"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107003/; classtype:trojan-activity;sid:81970103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1107001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.194.192.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1107001/; classtype:trojan-activity;sid:81970101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.4.14"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106998/; classtype:trojan-activity;sid:81970098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.x/1sh"; depth:7; endswith; nocase; http.host; content:"71.127.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106995/; classtype:trojan-activity;sid:81970095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.12.91"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106992/; classtype:trojan-activity;sid:81970092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.mips"; depth:9; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106993/; classtype:trojan-activity;sid:81970093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.ppc"; depth:8; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106981/; classtype:trojan-activity;sid:81970081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.mpsl"; depth:9; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106982/; classtype:trojan-activity;sid:81970082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.arm4"; depth:9; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106983/; classtype:trojan-activity;sid:81970083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.sparc"; depth:10; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106984/; classtype:trojan-activity;sid:81970084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.arm6"; depth:9; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106986/; classtype:trojan-activity;sid:81970086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"116.108.92.154"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106979/; classtype:trojan-activity;sid:81970079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.x86"; depth:8; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106980/; classtype:trojan-activity;sid:81970080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"31.168.16.68"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106977/; classtype:trojan-activity;sid:81970077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.sh"; depth:7; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106973/; classtype:trojan-activity;sid:81970073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.arm5"; depth:9; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106975/; classtype:trojan-activity;sid:81970075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kys.arm7"; depth:9; endswith; nocase; http.host; content:"192.99.221.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106976/; classtype:trojan-activity;sid:81970076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.54.119"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106969/; classtype:trojan-activity;sid:81970069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.121.125"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106967/; classtype:trojan-activity;sid:81970067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.200.137"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106966/; classtype:trojan-activity;sid:81970066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.255.15.170"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106965/; classtype:trojan-activity;sid:81970065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.54.119"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106963/; classtype:trojan-activity;sid:81970063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.121.125"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106962/; classtype:trojan-activity;sid:81970062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.43.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106961/; classtype:trojan-activity;sid:81970061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.59.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106960/; classtype:trojan-activity;sid:81970060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.176.108.248"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106959/; classtype:trojan-activity;sid:81970059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.25.162"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106958/; classtype:trojan-activity;sid:81970058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.127.204"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106957/; classtype:trojan-activity;sid:81970057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.194.192.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106955/; classtype:trojan-activity;sid:81970055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.194.183"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106953/; classtype:trojan-activity;sid:81970053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.170.86.31"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106952/; classtype:trojan-activity;sid:81970052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.4.14"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106951/; classtype:trojan-activity;sid:81970051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.4.247"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106948/; classtype:trojan-activity;sid:81970048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filename.exe"; depth:13; endswith; nocase; http.host; content:"93.157.63.221"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106945/; classtype:trojan-activity;sid:81970045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.59.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106944/; classtype:trojan-activity;sid:81970044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.8.107.214"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106942/; classtype:trojan-activity;sid:81970042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.49.86.54"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106941/; classtype:trojan-activity;sid:81970041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.52.255"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106939/; classtype:trojan-activity;sid:81970039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.30.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106937/; classtype:trojan-activity;sid:81970037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.170.86.31"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106938/; classtype:trojan-activity;sid:81970038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.12.91"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106936/; classtype:trojan-activity;sid:81970036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.97.68"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106935/; classtype:trojan-activity;sid:81970035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.4.110"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106932/; classtype:trojan-activity;sid:81970032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.76.34"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106930/; classtype:trojan-activity;sid:81970030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.49.86.54"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106929/; classtype:trojan-activity;sid:81970029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.52.255"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106928/; classtype:trojan-activity;sid:81970028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.30.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106927/; classtype:trojan-activity;sid:81970027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.50.23.23"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106926/; classtype:trojan-activity;sid:81970026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.5.223"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106925/; classtype:trojan-activity;sid:81970025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.82.73"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106923/; classtype:trojan-activity;sid:81970023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.92.213"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106921/; classtype:trojan-activity;sid:81970021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.141.61.174"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106920/; classtype:trojan-activity;sid:81970020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.172.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106919/; classtype:trojan-activity;sid:81970019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.107.135"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106917/; classtype:trojan-activity;sid:81970017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.141.61.174"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106916/; classtype:trojan-activity;sid:81970016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.121.130"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106915/; classtype:trojan-activity;sid:81970015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.24.52"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106913/; classtype:trojan-activity;sid:81970013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.107.135"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106911/; classtype:trojan-activity;sid:81970011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.80.240"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106910/; classtype:trojan-activity;sid:81970010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.49.253"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106905/; classtype:trojan-activity;sid:81970005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.83.17"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106901/; classtype:trojan-activity;sid:81970001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.237.114.80"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106899/; classtype:trojan-activity;sid:81969999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.40.79.170"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106892/; classtype:trojan-activity;sid:81969992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.30.110.30"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106893/; classtype:trojan-activity;sid:81969993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.6.203"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106894/; classtype:trojan-activity;sid:81969994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.112.87"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106887/; classtype:trojan-activity;sid:81969987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.212.175"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106886/; classtype:trojan-activity;sid:81969986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"87.117.11.46"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106884/; classtype:trojan-activity;sid:81969984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.80.240"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106882/; classtype:trojan-activity;sid:81969982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.211.6.112"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106881/; classtype:trojan-activity;sid:81969981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.209.126.206"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106878/; classtype:trojan-activity;sid:81969978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.57.121"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106877/; classtype:trojan-activity;sid:81969977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.198.7.22"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106876/; classtype:trojan-activity;sid:81969976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.212.175"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106875/; classtype:trojan-activity;sid:81969975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.112.87"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106873/; classtype:trojan-activity;sid:81969973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.6.201"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106872/; classtype:trojan-activity;sid:81969972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.24.52"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106871/; classtype:trojan-activity;sid:81969971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.arm5"; depth:16; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106869/; classtype:trojan-activity;sid:81969969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.mips"; depth:16; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106870/; classtype:trojan-activity;sid:81969970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.spc"; depth:15; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106866/; classtype:trojan-activity;sid:81969966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.mpsl"; depth:16; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106864/; classtype:trojan-activity;sid:81969964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.arm6"; depth:16; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106865/; classtype:trojan-activity;sid:81969965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.arm7"; depth:16; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106861/; classtype:trojan-activity;sid:81969961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.x86"; depth:15; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106862/; classtype:trojan-activity;sid:81969962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.m68k"; depth:16; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106863/; classtype:trojan-activity;sid:81969963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.sh4"; depth:15; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106860/; classtype:trojan-activity;sid:81969960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.arm"; depth:15; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106856/; classtype:trojan-activity;sid:81969956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.ppc"; depth:15; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106855/; classtype:trojan-activity;sid:81969955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z.sh"; depth:5; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106854/; classtype:trojan-activity;sid:81969954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/100up.sh"; depth:9; endswith; nocase; http.host; content:"107.172.156.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106853/; classtype:trojan-activity;sid:81969953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"209.146.98.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106851/; classtype:trojan-activity;sid:81969951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.11.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106850/; classtype:trojan-activity;sid:81969950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.59.8"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106848/; classtype:trojan-activity;sid:81969948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.101.212"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106845/; classtype:trojan-activity;sid:81969945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.109.194"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106844/; classtype:trojan-activity;sid:81969944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.5.3.162"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106841/; classtype:trojan-activity;sid:81969941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.97.40.9"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106839/; classtype:trojan-activity;sid:81969939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.244.126"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106837/; classtype:trojan-activity;sid:81969937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.22.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106836/; classtype:trojan-activity;sid:81969936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.101.212"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106832/; classtype:trojan-activity;sid:81969932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.51.219.200"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106830/; classtype:trojan-activity;sid:81969930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.118.41"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106829/; classtype:trojan-activity;sid:81969929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.22.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106828/; classtype:trojan-activity;sid:81969928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.9.217"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106827/; classtype:trojan-activity;sid:81969927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.29.27"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106825/; classtype:trojan-activity;sid:81969925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.118.41"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106824/; classtype:trojan-activity;sid:81969924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uko.exe"; depth:8; endswith; nocase; http.host; content:"93.157.63.221"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106823/; classtype:trojan-activity;sid:81969923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.104.20"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106822/; classtype:trojan-activity;sid:81969922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.172.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106821/; classtype:trojan-activity;sid:81969921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.255.15.29"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106819/; classtype:trojan-activity;sid:81969919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.45.66.253"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106810/; classtype:trojan-activity;sid:81969910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.119.200.55"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106802/; classtype:trojan-activity;sid:81969902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.17.9"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106803/; classtype:trojan-activity;sid:81969903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.40.108"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106804/; classtype:trojan-activity;sid:81969904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.83.79.42"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_12; reference:url, urlhaus.abuse.ch/url/1106801/; classtype:trojan-activity;sid:81969901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.89.152"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106799/; classtype:trojan-activity;sid:81969899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.31.211.135"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106798/; classtype:trojan-activity;sid:81969898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.87.227"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106797/; classtype:trojan-activity;sid:81969897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.53"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106796/; classtype:trojan-activity;sid:81969896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.136.101"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106795/; classtype:trojan-activity;sid:81969895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/po/tai1.exe"; depth:12; endswith; nocase; http.host; content:"23.92.213.108"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106794/; classtype:trojan-activity;sid:81969894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/po/axsz3.exe"; depth:13; endswith; nocase; http.host; content:"23.92.213.108"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106793/; classtype:trojan-activity;sid:81969893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.14.248"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106792/; classtype:trojan-activity;sid:81969892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.111.76"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106791/; classtype:trojan-activity;sid:81969891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.50.68"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106790/; classtype:trojan-activity;sid:81969890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.96.177"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106789/; classtype:trojan-activity;sid:81969889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.67.65"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106788/; classtype:trojan-activity;sid:81969888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.1.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106787/; classtype:trojan-activity;sid:81969887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.214.163.81"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106786/; classtype:trojan-activity;sid:81969886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.35.237"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106785/; classtype:trojan-activity;sid:81969885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.57.112"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106784/; classtype:trojan-activity;sid:81969884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.14.248"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106783/; classtype:trojan-activity;sid:81969883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.72.208"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106782/; classtype:trojan-activity;sid:81969882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.5.44.190"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106781/; classtype:trojan-activity;sid:81969881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.173.160.185"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106780/; classtype:trojan-activity;sid:81969880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.47.104.246"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106779/; classtype:trojan-activity;sid:81969879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.25.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106778/; classtype:trojan-activity;sid:81969878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.68.140"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106777/; classtype:trojan-activity;sid:81969877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.214.163.81"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106776/; classtype:trojan-activity;sid:81969876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.81.189"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106775/; classtype:trojan-activity;sid:81969875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.37.122"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106774/; classtype:trojan-activity;sid:81969874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.111.76"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106773/; classtype:trojan-activity;sid:81969873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.192.88"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106772/; classtype:trojan-activity;sid:81969872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.57.112"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106771/; classtype:trojan-activity;sid:81969871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.72.208"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106770/; classtype:trojan-activity;sid:81969870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.81.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106769/; classtype:trojan-activity;sid:81969869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.79.128"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106768/; classtype:trojan-activity;sid:81969868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.25.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106767/; classtype:trojan-activity;sid:81969867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.42.28"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106766/; classtype:trojan-activity;sid:81969866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.182.151"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106765/; classtype:trojan-activity;sid:81969865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.79.128"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106764/; classtype:trojan-activity;sid:81969864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.113.24"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106763/; classtype:trojan-activity;sid:81969863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.33.190"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106762/; classtype:trojan-activity;sid:81969862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.53.62"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106761/; classtype:trojan-activity;sid:81969861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.69.251.12"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106760/; classtype:trojan-activity;sid:81969860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.182.237.107"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106759/; classtype:trojan-activity;sid:81969859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.11.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106758/; classtype:trojan-activity;sid:81969858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.209.126.74"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106757/; classtype:trojan-activity;sid:81969857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.109.165"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106756/; classtype:trojan-activity;sid:81969856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"177.86.234.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106755/; classtype:trojan-activity;sid:81969855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.68.140"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106754/; classtype:trojan-activity;sid:81969854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.17.14"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106753/; classtype:trojan-activity;sid:81969853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.142.55"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106752/; classtype:trojan-activity;sid:81969852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.87.207"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106751/; classtype:trojan-activity;sid:81969851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.arm7"; depth:20; endswith; nocase; http.host; content:"195.58.39.196"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106750/; classtype:trojan-activity;sid:81969850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.84.241.94"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106749/; classtype:trojan-activity;sid:81969849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"188.69.251.12"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106748/; classtype:trojan-activity;sid:81969848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.113.24"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106747/; classtype:trojan-activity;sid:81969847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.33.190"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106746/; classtype:trojan-activity;sid:81969846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.1.55"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106745/; classtype:trojan-activity;sid:81969845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.34.180"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106744/; classtype:trojan-activity;sid:81969844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.17.14"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106743/; classtype:trojan-activity;sid:81969843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.127.60"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106742/; classtype:trojan-activity;sid:81969842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.251.81"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106741/; classtype:trojan-activity;sid:81969841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.138.158"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106740/; classtype:trojan-activity;sid:81969840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.55.236"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106738/; classtype:trojan-activity;sid:81969838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.0.54.181"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106739/; classtype:trojan-activity;sid:81969839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.234.27.252"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106736/; classtype:trojan-activity;sid:81969836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.55.122"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106737/; classtype:trojan-activity;sid:81969837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"111.92.81.255"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106734/; classtype:trojan-activity;sid:81969834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.202.65.2"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106735/; classtype:trojan-activity;sid:81969835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.96.225"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106733/; classtype:trojan-activity;sid:81969833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.0.145"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106732/; classtype:trojan-activity;sid:81969832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.60.49"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106730/; classtype:trojan-activity;sid:81969830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.85.172.111"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106731/; classtype:trojan-activity;sid:81969831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.116.102.190"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106729/; classtype:trojan-activity;sid:81969829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"108.249.194.121"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106728/; classtype:trojan-activity;sid:81969828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.122.47"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106726/; classtype:trojan-activity;sid:81969826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.14.85.51"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106727/; classtype:trojan-activity;sid:81969827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"110.182.126.118"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106723/; classtype:trojan-activity;sid:81969823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.47.74.230"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106724/; classtype:trojan-activity;sid:81969824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.252.176.140"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106725/; classtype:trojan-activity;sid:81969825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"88.129.208.43"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106721/; classtype:trojan-activity;sid:81969821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"39.87.96.227"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106722/; classtype:trojan-activity;sid:81969822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.75.94"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106720/; classtype:trojan-activity;sid:81969820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.38.123.136"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106719/; classtype:trojan-activity;sid:81969819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.107.156"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106718/; classtype:trojan-activity;sid:81969818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.176.108.248"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106717/; classtype:trojan-activity;sid:81969817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.116.254"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106716/; classtype:trojan-activity;sid:81969816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.59.170.157"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106715/; classtype:trojan-activity;sid:81969815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.251.81"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106714/; classtype:trojan-activity;sid:81969814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.spc"; depth:12; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106713/; classtype:trojan-activity;sid:81969813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.75.94"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106712/; classtype:trojan-activity;sid:81969812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.38.123.136"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106711/; classtype:trojan-activity;sid:81969811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.156.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106710/; classtype:trojan-activity;sid:81969810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.73.12.149"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106709/; classtype:trojan-activity;sid:81969809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.78.118"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106708/; classtype:trojan-activity;sid:81969808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.115.208"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106706/; classtype:trojan-activity;sid:81969806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.118.187"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106707/; classtype:trojan-activity;sid:81969807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.8.154"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106705/; classtype:trojan-activity;sid:81969805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.76.221"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106704/; classtype:trojan-activity;sid:81969804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.53.214"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106703/; classtype:trojan-activity;sid:81969803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.137.193"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106702/; classtype:trojan-activity;sid:81969802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.76.146"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106701/; classtype:trojan-activity;sid:81969801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.156.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106700/; classtype:trojan-activity;sid:81969800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.108.127"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106699/; classtype:trojan-activity;sid:81969799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.100.151"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106698/; classtype:trojan-activity;sid:81969798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.arm"; depth:12; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106692/; classtype:trojan-activity;sid:81969792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.x86"; depth:12; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106693/; classtype:trojan-activity;sid:81969793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.arm7"; depth:13; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106694/; classtype:trojan-activity;sid:81969794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.arm6"; depth:13; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106695/; classtype:trojan-activity;sid:81969795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.ppc"; depth:12; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106696/; classtype:trojan-activity;sid:81969796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.122.105"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106697/; classtype:trojan-activity;sid:81969797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.mpsl"; depth:13; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106691/; classtype:trojan-activity;sid:81969791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.sh4"; depth:12; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106689/; classtype:trojan-activity;sid:81969789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.m68k"; depth:13; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106690/; classtype:trojan-activity;sid:81969790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.arm5"; depth:13; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106687/; classtype:trojan-activity;sid:81969787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx/apep.mips"; depth:13; endswith; nocase; http.host; content:"2.57.122.24"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106688/; classtype:trojan-activity;sid:81969788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.8.154"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106686/; classtype:trojan-activity;sid:81969786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.32.192"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106685/; classtype:trojan-activity;sid:81969785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.73.12.149"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106684/; classtype:trojan-activity;sid:81969784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.41.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106683/; classtype:trojan-activity;sid:81969783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.76.221"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106682/; classtype:trojan-activity;sid:81969782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.100.151"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106681/; classtype:trojan-activity;sid:81969781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.98.63"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106680/; classtype:trojan-activity;sid:81969780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.49.82"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106679/; classtype:trojan-activity;sid:81969779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.122.105"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106678/; classtype:trojan-activity;sid:81969778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.4.180"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106677/; classtype:trojan-activity;sid:81969777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.92.218.82"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106676/; classtype:trojan-activity;sid:81969776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.108.133.19"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106675/; classtype:trojan-activity;sid:81969775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.141.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106674/; classtype:trojan-activity;sid:81969774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.81.226"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106673/; classtype:trojan-activity;sid:81969773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.178.168"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106672/; classtype:trojan-activity;sid:81969772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.88.192.87"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106671/; classtype:trojan-activity;sid:81969771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.108.133.19"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106670/; classtype:trojan-activity;sid:81969770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.115.74"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106669/; classtype:trojan-activity;sid:81969769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.110.27"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106668/; classtype:trojan-activity;sid:81969768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.57.123.202"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106667/; classtype:trojan-activity;sid:81969767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.63.53"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106666/; classtype:trojan-activity;sid:81969766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.53.231"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106665/; classtype:trojan-activity;sid:81969765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.61.96.158"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106664/; classtype:trojan-activity;sid:81969764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.229.230.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106663/; classtype:trojan-activity;sid:81969763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.178.168"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106662/; classtype:trojan-activity;sid:81969762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.201.203.224"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106661/; classtype:trojan-activity;sid:81969761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.213.136"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106660/; classtype:trojan-activity;sid:81969760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.105.89"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106659/; classtype:trojan-activity;sid:81969759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.83.170"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106658/; classtype:trojan-activity;sid:81969758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.110.27"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106657/; classtype:trojan-activity;sid:81969757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.63.53"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106656/; classtype:trojan-activity;sid:81969756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.64.116"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106655/; classtype:trojan-activity;sid:81969755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.7.75"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106654/; classtype:trojan-activity;sid:81969754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.222.171.202"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106653/; classtype:trojan-activity;sid:81969753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.213.136"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106652/; classtype:trojan-activity;sid:81969752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.201.203.224"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106651/; classtype:trojan-activity;sid:81969751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.201.195.112"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106650/; classtype:trojan-activity;sid:81969750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.78.118"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106649/; classtype:trojan-activity;sid:81969749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.spc"; depth:16; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106648/; classtype:trojan-activity;sid:81969748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.64.116"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106647/; classtype:trojan-activity;sid:81969747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.40"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106646/; classtype:trojan-activity;sid:81969746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"172.43.63.217"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106645/; classtype:trojan-activity;sid:81969745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.68.97.137"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106643/; classtype:trojan-activity;sid:81969743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"124.203.217.172"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106644/; classtype:trojan-activity;sid:81969744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"180.188.247.26"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106642/; classtype:trojan-activity;sid:81969742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"111.92.80.63"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106641/; classtype:trojan-activity;sid:81969741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.249.80.36"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106639/; classtype:trojan-activity;sid:81969739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.249.75.128"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106640/; classtype:trojan-activity;sid:81969740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.48.140.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106638/; classtype:trojan-activity;sid:81969738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"183.17.145.112"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106636/; classtype:trojan-activity;sid:81969736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"39.83.185.108"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106637/; classtype:trojan-activity;sid:81969737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.175.63.177"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106633/; classtype:trojan-activity;sid:81969733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.11.101"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106634/; classtype:trojan-activity;sid:81969734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.9.249"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106635/; classtype:trojan-activity;sid:81969735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.1.54.62"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106629/; classtype:trojan-activity;sid:81969729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.118.249.97"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106630/; classtype:trojan-activity;sid:81969730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"60.254.36.135"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106631/; classtype:trojan-activity;sid:81969731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.94.182.216"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106632/; classtype:trojan-activity;sid:81969732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.41.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106628/; classtype:trojan-activity;sid:81969728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.73.171"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106627/; classtype:trojan-activity;sid:81969727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.250.132"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106626/; classtype:trojan-activity;sid:81969726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.110.60"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106625/; classtype:trojan-activity;sid:81969725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.ppc"; depth:16; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106623/; classtype:trojan-activity;sid:81969723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.sh4"; depth:16; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106624/; classtype:trojan-activity;sid:81969724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.arm7"; depth:17; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106622/; classtype:trojan-activity;sid:81969722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.222.171.202"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106621/; classtype:trojan-activity;sid:81969721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.mpsl"; depth:17; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106614/; classtype:trojan-activity;sid:81969714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.arm6"; depth:17; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106615/; classtype:trojan-activity;sid:81969715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.arm"; depth:16; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106616/; classtype:trojan-activity;sid:81969716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.mips"; depth:17; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106617/; classtype:trojan-activity;sid:81969717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.x86"; depth:16; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106618/; classtype:trojan-activity;sid:81969718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.arm5"; depth:17; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106619/; classtype:trojan-activity;sid:81969719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zehir/z3hir.m68k"; depth:17; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106620/; classtype:trojan-activity;sid:81969720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.90.79"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106613/; classtype:trojan-activity;sid:81969713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.83.109.216"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106612/; classtype:trojan-activity;sid:81969712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.52.24"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106611/; classtype:trojan-activity;sid:81969711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.70.9"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106610/; classtype:trojan-activity;sid:81969710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.61.28"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106609/; classtype:trojan-activity;sid:81969709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.176.110.146"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106608/; classtype:trojan-activity;sid:81969708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.73.171"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106607/; classtype:trojan-activity;sid:81969707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.22.93"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106606/; classtype:trojan-activity;sid:81969706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.22.51"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106605/; classtype:trojan-activity;sid:81969705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.15.19"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106604/; classtype:trojan-activity;sid:81969704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.86.233.209"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106603/; classtype:trojan-activity;sid:81969703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.52.24"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106602/; classtype:trojan-activity;sid:81969702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.52.176"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106601/; classtype:trojan-activity;sid:81969701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.123.159"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106600/; classtype:trojan-activity;sid:81969700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.113.51"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106599/; classtype:trojan-activity;sid:81969699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.142.55"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106598/; classtype:trojan-activity;sid:81969698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.126.80"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106597/; classtype:trojan-activity;sid:81969697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.61.28"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106596/; classtype:trojan-activity;sid:81969696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.27.115.8"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106595/; classtype:trojan-activity;sid:81969695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.141.117.41"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106594/; classtype:trojan-activity;sid:81969694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.112.254"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106593/; classtype:trojan-activity;sid:81969693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.99.86.59"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106592/; classtype:trojan-activity;sid:81969692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.123.159"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106591/; classtype:trojan-activity;sid:81969691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.202.215"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106590/; classtype:trojan-activity;sid:81969690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.59.12"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106589/; classtype:trojan-activity;sid:81969689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.132.106.247"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106588/; classtype:trojan-activity;sid:81969688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.93.160"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106587/; classtype:trojan-activity;sid:81969687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.15.172"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106586/; classtype:trojan-activity;sid:81969686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.241.81"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106585/; classtype:trojan-activity;sid:81969685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"59.126.26.220"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106584/; classtype:trojan-activity;sid:81969684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.201.201.68"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106582/; classtype:trojan-activity;sid:81969682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.113.51"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106583/; classtype:trojan-activity;sid:81969683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.141.117.41"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106581/; classtype:trojan-activity;sid:81969681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.6.144"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106580/; classtype:trojan-activity;sid:81969680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.99.86.59"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106579/; classtype:trojan-activity;sid:81969679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.34.180"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106578/; classtype:trojan-activity;sid:81969678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.247.206.60"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106577/; classtype:trojan-activity;sid:81969677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.73.215.212"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106576/; classtype:trojan-activity;sid:81969676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.218.19"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106575/; classtype:trojan-activity;sid:81969675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.93.160"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106574/; classtype:trojan-activity;sid:81969674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.132.106.247"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106573/; classtype:trojan-activity;sid:81969673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.15.172"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106571/; classtype:trojan-activity;sid:81969671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.214.205"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106572/; classtype:trojan-activity;sid:81969672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.241.81"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106570/; classtype:trojan-activity;sid:81969670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.82.59"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106569/; classtype:trojan-activity;sid:81969669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.89.43.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106568/; classtype:trojan-activity;sid:81969668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.35.254.7"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106567/; classtype:trojan-activity;sid:81969667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.222.173.154"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106566/; classtype:trojan-activity;sid:81969666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.39.41"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106565/; classtype:trojan-activity;sid:81969665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.40.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106564/; classtype:trojan-activity;sid:81969664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.73.215.212"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106563/; classtype:trojan-activity;sid:81969663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.122.172"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106562/; classtype:trojan-activity;sid:81969662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.214.205"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106561/; classtype:trojan-activity;sid:81969661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.182.151"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106560/; classtype:trojan-activity;sid:81969660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.176.110.146"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106559/; classtype:trojan-activity;sid:81969659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.68.18"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106558/; classtype:trojan-activity;sid:81969658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.89.43.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106557/; classtype:trojan-activity;sid:81969657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.123.217.117"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106556/; classtype:trojan-activity;sid:81969656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.53.214"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106555/; classtype:trojan-activity;sid:81969655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.56.30"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106554/; classtype:trojan-activity;sid:81969654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.96.198"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106552/; classtype:trojan-activity;sid:81969652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.63.223"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106553/; classtype:trojan-activity;sid:81969653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.95.71"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106551/; classtype:trojan-activity;sid:81969651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.61.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106550/; classtype:trojan-activity;sid:81969650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.0.39"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106549/; classtype:trojan-activity;sid:81969649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.241.252"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106548/; classtype:trojan-activity;sid:81969648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.40.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106547/; classtype:trojan-activity;sid:81969647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.112.85"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106546/; classtype:trojan-activity;sid:81969646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.244.8"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106545/; classtype:trojan-activity;sid:81969645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.17.13"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106544/; classtype:trojan-activity;sid:81969644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.127.194"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106543/; classtype:trojan-activity;sid:81969643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.144.219"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106542/; classtype:trojan-activity;sid:81969642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.170"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106540/; classtype:trojan-activity;sid:81969640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"118.246.77.104"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106541/; classtype:trojan-activity;sid:81969641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.215"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106539/; classtype:trojan-activity;sid:81969639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.138.183"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106538/; classtype:trojan-activity;sid:81969638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"223.131.201.82"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106537/; classtype:trojan-activity;sid:81969637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.47.241.132"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106536/; classtype:trojan-activity;sid:81969636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.122.254.7"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106533/; classtype:trojan-activity;sid:81969633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.46.113"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106534/; classtype:trojan-activity;sid:81969634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"221.214.197.120"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106535/; classtype:trojan-activity;sid:81969635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.208.202.87"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106532/; classtype:trojan-activity;sid:81969632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.249.72.135"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106530/; classtype:trojan-activity;sid:81969630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.9.193.253"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106531/; classtype:trojan-activity;sid:81969631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"124.95.10.235"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106525/; classtype:trojan-activity;sid:81969625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.121.151"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106526/; classtype:trojan-activity;sid:81969626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.125.200.234"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106527/; classtype:trojan-activity;sid:81969627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.155.107.207"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106528/; classtype:trojan-activity;sid:81969628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.57.145"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106529/; classtype:trojan-activity;sid:81969629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.2.174.153"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106524/; classtype:trojan-activity;sid:81969624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.88.130"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106522/; classtype:trojan-activity;sid:81969622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.96.198"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106523/; classtype:trojan-activity;sid:81969623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.101.139"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106521/; classtype:trojan-activity;sid:81969621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.99.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106520/; classtype:trojan-activity;sid:81969620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.10.147.48"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106519/; classtype:trojan-activity;sid:81969619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.63.223"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106518/; classtype:trojan-activity;sid:81969618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.241.214"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106517/; classtype:trojan-activity;sid:81969617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.249.58"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106516/; classtype:trojan-activity;sid:81969616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.12.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106514/; classtype:trojan-activity;sid:81969614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.91.101"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106515/; classtype:trojan-activity;sid:81969615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/wxcy7wp9"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106513/; classtype:trojan-activity;sid:81969613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.141.144.219"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106512/; classtype:trojan-activity;sid:81969612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.56.30"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106511/; classtype:trojan-activity;sid:81969611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.126.234"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106510/; classtype:trojan-activity;sid:81969610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.99.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106509/; classtype:trojan-activity;sid:81969609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.60.117.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106508/; classtype:trojan-activity;sid:81969608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.96.126.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106507/; classtype:trojan-activity;sid:81969607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.71.69"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106506/; classtype:trojan-activity;sid:81969606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.249.58"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106505/; classtype:trojan-activity;sid:81969605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.83.125"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106504/; classtype:trojan-activity;sid:81969604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.126.234"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106503/; classtype:trojan-activity;sid:81969603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.12.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106502/; classtype:trojan-activity;sid:81969602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.49.54"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106501/; classtype:trojan-activity;sid:81969601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.0.24"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106500/; classtype:trojan-activity;sid:81969600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.60.117.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106499/; classtype:trojan-activity;sid:81969599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.7.19"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106498/; classtype:trojan-activity;sid:81969598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.45.234"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106497/; classtype:trojan-activity;sid:81969597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.106.179"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106495/; classtype:trojan-activity;sid:81969595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.115.176.253"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106496/; classtype:trojan-activity;sid:81969596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.3.130"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106494/; classtype:trojan-activity;sid:81969594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.71.69"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106493/; classtype:trojan-activity;sid:81969593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.27.81.238"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106492/; classtype:trojan-activity;sid:81969592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.45.234"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106491/; classtype:trojan-activity;sid:81969591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.34.180"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106490/; classtype:trojan-activity;sid:81969590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.137.93"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106489/; classtype:trojan-activity;sid:81969589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.115.176.253"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106488/; classtype:trojan-activity;sid:81969588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.146.46"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106487/; classtype:trojan-activity;sid:81969587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.62.238"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106486/; classtype:trojan-activity;sid:81969586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.54.116.243"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106485/; classtype:trojan-activity;sid:81969585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.46.2"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106484/; classtype:trojan-activity;sid:81969584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.137.93"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106483/; classtype:trojan-activity;sid:81969583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.34.180"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106482/; classtype:trojan-activity;sid:81969582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.3.71"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106481/; classtype:trojan-activity;sid:81969581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.15.72"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106480/; classtype:trojan-activity;sid:81969580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.40.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106479/; classtype:trojan-activity;sid:81969579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.109.181"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106478/; classtype:trojan-activity;sid:81969578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.71.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106477/; classtype:trojan-activity;sid:81969577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106476/; classtype:trojan-activity;sid:81969576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"135.148.36.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106475/; classtype:trojan-activity;sid:81969575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.11.6"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106474/; classtype:trojan-activity;sid:81969574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.91.101"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106473/; classtype:trojan-activity;sid:81969573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.54.116.243"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106472/; classtype:trojan-activity;sid:81969572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.27.81.238"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106471/; classtype:trojan-activity;sid:81969571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.41.36.97"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106470/; classtype:trojan-activity;sid:81969570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.109.181"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106469/; classtype:trojan-activity;sid:81969569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.194.164.208"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106468/; classtype:trojan-activity;sid:81969568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.50.3"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106467/; classtype:trojan-activity;sid:81969567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/829721030112182363/829724335526510622/dcratbuild.exe"; depth:65; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106466/; classtype:trojan-activity;sid:81969566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.131.105"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106465/; classtype:trojan-activity;sid:81969565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.47.99"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106463/; classtype:trojan-activity;sid:81969563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106464/; classtype:trojan-activity;sid:81969564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.4.70"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106462/; classtype:trojan-activity;sid:81969562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.31.128"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106461/; classtype:trojan-activity;sid:81969561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.85.190"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106460/; classtype:trojan-activity;sid:81969560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.71.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106459/; classtype:trojan-activity;sid:81969559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.40.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106458/; classtype:trojan-activity;sid:81969558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.214.37.129"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106457/; classtype:trojan-activity;sid:81969557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.49.51"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106456/; classtype:trojan-activity;sid:81969556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.146.108.150"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106455/; classtype:trojan-activity;sid:81969555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.50.3"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106454/; classtype:trojan-activity;sid:81969554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/712408764354920490/829413679866839120/echelon_protected.exe"; depth:72; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106453/; classtype:trojan-activity;sid:81969553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.21.71"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106452/; classtype:trojan-activity;sid:81969552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.22.94"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106451/; classtype:trojan-activity;sid:81969551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.114.151"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106450/; classtype:trojan-activity;sid:81969550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.131.105"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106449/; classtype:trojan-activity;sid:81969549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.227.236"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106448/; classtype:trojan-activity;sid:81969548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.70"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106447/; classtype:trojan-activity;sid:81969547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.164.11.175"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106446/; classtype:trojan-activity;sid:81969546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"89.208.122.223"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106444/; classtype:trojan-activity;sid:81969544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.251.62.107"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106445/; classtype:trojan-activity;sid:81969545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"106.1.111.91"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106443/; classtype:trojan-activity;sid:81969543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"183.188.146.216"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106442/; classtype:trojan-activity;sid:81969542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.40.254"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106440/; classtype:trojan-activity;sid:81969540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"153.34.159.207"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106441/; classtype:trojan-activity;sid:81969541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.11.39.103"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106437/; classtype:trojan-activity;sid:81969537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.97.175.226"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106438/; classtype:trojan-activity;sid:81969538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.76.33"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106439/; classtype:trojan-activity;sid:81969539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.4.204.223"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106435/; classtype:trojan-activity;sid:81969535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.84.201"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106436/; classtype:trojan-activity;sid:81969536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.16.86"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106432/; classtype:trojan-activity;sid:81969532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.51.106.238"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106433/; classtype:trojan-activity;sid:81969533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.126.159"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106434/; classtype:trojan-activity;sid:81969534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.138.17.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106428/; classtype:trojan-activity;sid:81969528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.46.47.171"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106429/; classtype:trojan-activity;sid:81969529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.51.244"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106430/; classtype:trojan-activity;sid:81969530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.125.206.193"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106431/; classtype:trojan-activity;sid:81969531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.230.86.107"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106427/; classtype:trojan-activity;sid:81969527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.30.187"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106426/; classtype:trojan-activity;sid:81969526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.214.37.129"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106425/; classtype:trojan-activity;sid:81969525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.6.115"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106424/; classtype:trojan-activity;sid:81969524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.247.201.90"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106423/; classtype:trojan-activity;sid:81969523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.44.38"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106422/; classtype:trojan-activity;sid:81969522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.36.222.249"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106421/; classtype:trojan-activity;sid:81969521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.14.23"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106420/; classtype:trojan-activity;sid:81969520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.146.108.150"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106419/; classtype:trojan-activity;sid:81969519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.47.122"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106418/; classtype:trojan-activity;sid:81969518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.21.71"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106417/; classtype:trojan-activity;sid:81969517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.19.166"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106416/; classtype:trojan-activity;sid:81969516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.99.209"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106415/; classtype:trojan-activity;sid:81969515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"121.175.49.88"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106414/; classtype:trojan-activity;sid:81969514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.196.49.198"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106413/; classtype:trojan-activity;sid:81969513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.7.75"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106412/; classtype:trojan-activity;sid:81969512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.88.70"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106411/; classtype:trojan-activity;sid:81969511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106409/; classtype:trojan-activity;sid:81969509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106410/; classtype:trojan-activity;sid:81969510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106406/; classtype:trojan-activity;sid:81969506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106407/; classtype:trojan-activity;sid:81969507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106408/; classtype:trojan-activity;sid:81969508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106401/; classtype:trojan-activity;sid:81969501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106402/; classtype:trojan-activity;sid:81969502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106403/; classtype:trojan-activity;sid:81969503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106404/; classtype:trojan-activity;sid:81969504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106405/; classtype:trojan-activity;sid:81969505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.6.115"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106400/; classtype:trojan-activity;sid:81969500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.91.3"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106399/; classtype:trojan-activity;sid:81969499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.247.201.90"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106398/; classtype:trojan-activity;sid:81969498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.36.222.249"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106397/; classtype:trojan-activity;sid:81969497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.105.14.158"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106396/; classtype:trojan-activity;sid:81969496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.27.82.29"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106395/; classtype:trojan-activity;sid:81969495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.196.49.198"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106394/; classtype:trojan-activity;sid:81969494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.76.8"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106393/; classtype:trojan-activity;sid:81969493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.21.194"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106392/; classtype:trojan-activity;sid:81969492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.193.91.215"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106391/; classtype:trojan-activity;sid:81969491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.139.147"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106390/; classtype:trojan-activity;sid:81969490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.58.60"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106389/; classtype:trojan-activity;sid:81969489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"173.68.100.93"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106388/; classtype:trojan-activity;sid:81969488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.227.236"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106387/; classtype:trojan-activity;sid:81969487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.36.248"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106386/; classtype:trojan-activity;sid:81969486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.202.215"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106385/; classtype:trojan-activity;sid:81969485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"73.112.123.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106384/; classtype:trojan-activity;sid:81969484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.193.91.215"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106383/; classtype:trojan-activity;sid:81969483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.252.0.73"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106382/; classtype:trojan-activity;sid:81969482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.174.72"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106381/; classtype:trojan-activity;sid:81969481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.36.248"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106380/; classtype:trojan-activity;sid:81969480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"173.68.100.93"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106379/; classtype:trojan-activity;sid:81969479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.228.49"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106378/; classtype:trojan-activity;sid:81969478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.65.52"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106377/; classtype:trojan-activity;sid:81969477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.91.3"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106376/; classtype:trojan-activity;sid:81969476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.176.111.130"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106375/; classtype:trojan-activity;sid:81969475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.176.111.130"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106374/; classtype:trojan-activity;sid:81969474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.80.26"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106373/; classtype:trojan-activity;sid:81969473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.252.0.73"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106372/; classtype:trojan-activity;sid:81969472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.32.119"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106371/; classtype:trojan-activity;sid:81969471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.135.34.49"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106370/; classtype:trojan-activity;sid:81969470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.32.119"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106369/; classtype:trojan-activity;sid:81969469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.29.35"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106368/; classtype:trojan-activity;sid:81969468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.47.249"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106367/; classtype:trojan-activity;sid:81969467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.135.34.49"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106366/; classtype:trojan-activity;sid:81969466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.116.158"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106365/; classtype:trojan-activity;sid:81969465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.211.54.220"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106364/; classtype:trojan-activity;sid:81969464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.55.242"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106363/; classtype:trojan-activity;sid:81969463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.138.157"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106362/; classtype:trojan-activity;sid:81969462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.218.135.3"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106358/; classtype:trojan-activity;sid:81969458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.85.209.240"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106359/; classtype:trojan-activity;sid:81969459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.59.203.197"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106360/; classtype:trojan-activity;sid:81969460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"191.199.228.11"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106361/; classtype:trojan-activity;sid:81969461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.248.62.233"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106355/; classtype:trojan-activity;sid:81969455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.255.210.165"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106356/; classtype:trojan-activity;sid:81969456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.248.153.219"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106357/; classtype:trojan-activity;sid:81969457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.155.87.118"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106351/; classtype:trojan-activity;sid:81969451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.62.86"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106352/; classtype:trojan-activity;sid:81969452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.202.251"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106353/; classtype:trojan-activity;sid:81969453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.133.135.196"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106354/; classtype:trojan-activity;sid:81969454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.99.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106347/; classtype:trojan-activity;sid:81969447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.138.133.186"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106348/; classtype:trojan-activity;sid:81969448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.120.141"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106349/; classtype:trojan-activity;sid:81969449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"171.38.150.133"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106350/; classtype:trojan-activity;sid:81969450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.39.158"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106346/; classtype:trojan-activity;sid:81969446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.73.158"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106345/; classtype:trojan-activity;sid:81969445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.68.186"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106344/; classtype:trojan-activity;sid:81969444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.126.176"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106343/; classtype:trojan-activity;sid:81969443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"171.250.131.25"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106342/; classtype:trojan-activity;sid:81969442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106341/; classtype:trojan-activity;sid:81969441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106340/; classtype:trojan-activity;sid:81969440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106335/; classtype:trojan-activity;sid:81969435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106336/; classtype:trojan-activity;sid:81969436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106337/; classtype:trojan-activity;sid:81969437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106338/; classtype:trojan-activity;sid:81969438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106339/; classtype:trojan-activity;sid:81969439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106334/; classtype:trojan-activity;sid:81969434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106333/; classtype:trojan-activity;sid:81969433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.85.231"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106332/; classtype:trojan-activity;sid:81969432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106331/; classtype:trojan-activity;sid:81969431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106330/; classtype:trojan-activity;sid:81969430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.38.222"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106329/; classtype:trojan-activity;sid:81969429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/penelop/5.exe"; depth:20; endswith; nocase; http.host; content:"i.n.t.e.rloca.l.qs.j.y@jfas.top"; depth:31; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106328/; classtype:trojan-activity;sid:81969428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.58.12"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106327/; classtype:trojan-activity;sid:81969427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.65.10.139"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106326/; classtype:trojan-activity;sid:81969426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.126.176"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106325/; classtype:trojan-activity;sid:81969425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.70.108"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106324/; classtype:trojan-activity;sid:81969424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.245.12.89"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106323/; classtype:trojan-activity;sid:81969423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.85.231"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106322/; classtype:trojan-activity;sid:81969422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.118.129"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106321/; classtype:trojan-activity;sid:81969421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.2.183"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106320/; classtype:trojan-activity;sid:81969420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"189.252.184.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106319/; classtype:trojan-activity;sid:81969419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yoyobins.sh"; depth:12; endswith; nocase; http.host; content:"51.75.212.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106318/; classtype:trojan-activity;sid:81969418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.52.139.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106317/; classtype:trojan-activity;sid:81969417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.49.75"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106316/; classtype:trojan-activity;sid:81969416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.123.53"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106315/; classtype:trojan-activity;sid:81969415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.118.129"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106314/; classtype:trojan-activity;sid:81969414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.34.222"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106313/; classtype:trojan-activity;sid:81969413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.202.69.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106312/; classtype:trojan-activity;sid:81969412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.38.103.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106311/; classtype:trojan-activity;sid:81969411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.17.13"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106310/; classtype:trojan-activity;sid:81969410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foxzzynetwire_vygcqs104.bin"; depth:28; endswith; nocase; http.host; content:"185.174.101.104"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106309/; classtype:trojan-activity;sid:81969409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.2.46"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106308/; classtype:trojan-activity;sid:81969408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.32.34"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106307/; classtype:trojan-activity;sid:81969407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.192.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106306/; classtype:trojan-activity;sid:81969406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.27.80.120"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106305/; classtype:trojan-activity;sid:81969405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.70.70"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106304/; classtype:trojan-activity;sid:81969404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.171.166"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106303/; classtype:trojan-activity;sid:81969403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.116.245.146"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106302/; classtype:trojan-activity;sid:81969402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"93.84.111.75"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106301/; classtype:trojan-activity;sid:81969401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.68.96.179"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106300/; classtype:trojan-activity;sid:81969400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.155.114.112"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106298/; classtype:trojan-activity;sid:81969398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.41.25.45"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106299/; classtype:trojan-activity;sid:81969399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"45.229.54.68"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106297/; classtype:trojan-activity;sid:81969397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.68.96.7"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106296/; classtype:trojan-activity;sid:81969396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"115.88.133.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106294/; classtype:trojan-activity;sid:81969394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"70.118.240.88"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106295/; classtype:trojan-activity;sid:81969395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.207.26"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106292/; classtype:trojan-activity;sid:81969392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"150.129.105.61"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106293/; classtype:trojan-activity;sid:81969393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"181.199.170.230"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106291/; classtype:trojan-activity;sid:81969391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"42.235.94.232"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106290/; classtype:trojan-activity;sid:81969390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"200.108.173.27"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106286/; classtype:trojan-activity;sid:81969386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.253.15.184"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106287/; classtype:trojan-activity;sid:81969387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.125.52"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106288/; classtype:trojan-activity;sid:81969388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.248.63.212"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106289/; classtype:trojan-activity;sid:81969389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"125.41.208.166"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106284/; classtype:trojan-activity;sid:81969384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.25.109.52"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106285/; classtype:trojan-activity;sid:81969385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.103.40"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106283/; classtype:trojan-activity;sid:81969383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"14.155.86.253"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106281/; classtype:trojan-activity;sid:81969381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/packets.arm7"; depth:18; endswith; nocase; http.host; content:"185.248.102.144"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106282/; classtype:trojan-activity;sid:81969382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"59.93.16.124"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106278/; classtype:trojan-activity;sid:81969378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"1.34.136.243"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106279/; classtype:trojan-activity;sid:81969379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.81.144"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106280/; classtype:trojan-activity;sid:81969380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.109.169.208"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106277/; classtype:trojan-activity;sid:81969377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.222.167.232"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106274/; classtype:trojan-activity;sid:81969374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.17.137"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106275/; classtype:trojan-activity;sid:81969375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.192.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106276/; classtype:trojan-activity;sid:81969376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.24.183"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106271/; classtype:trojan-activity;sid:81969371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"115.58.13.220"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106272/; classtype:trojan-activity;sid:81969372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"110.187.229.182"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106273/; classtype:trojan-activity;sid:81969373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.136.82.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106270/; classtype:trojan-activity;sid:81969370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.50.68"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106265/; classtype:trojan-activity;sid:81969365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.30.122.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106266/; classtype:trojan-activity;sid:81969366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.247.206.20"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106267/; classtype:trojan-activity;sid:81969367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"58.249.73.208"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106268/; classtype:trojan-activity;sid:81969368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"117.196.74.29"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106269/; classtype:trojan-activity;sid:81969369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"182.114.88.247"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106264/; classtype:trojan-activity;sid:81969364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.126.87.246"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106263/; classtype:trojan-activity;sid:81969363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"188.19.187.234"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106262/; classtype:trojan-activity;sid:81969362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.31.32"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106261/; classtype:trojan-activity;sid:81969361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.12.32"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106260/; classtype:trojan-activity;sid:81969360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.217.117.226"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106258/; classtype:trojan-activity;sid:81969358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.55.41"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106259/; classtype:trojan-activity;sid:81969359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.125.139.97"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106256/; classtype:trojan-activity;sid:81969356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.45.90.246"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106257/; classtype:trojan-activity;sid:81969357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.40.79.70"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106252/; classtype:trojan-activity;sid:81969352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.12.164.165"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106253/; classtype:trojan-activity;sid:81969353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.204.15"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106254/; classtype:trojan-activity;sid:81969354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.85.225"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106255/; classtype:trojan-activity;sid:81969355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.240"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106251/; classtype:trojan-activity;sid:81969351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.89.74.135"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106249/; classtype:trojan-activity;sid:81969349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"183.14.19.209"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106250/; classtype:trojan-activity;sid:81969350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.135.246.180"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106248/; classtype:trojan-activity;sid:81969348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.55.247"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106247/; classtype:trojan-activity;sid:81969347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.195.48"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106246/; classtype:trojan-activity;sid:81969346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.75.195.177"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106241/; classtype:trojan-activity;sid:81969341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.113.150"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106242/; classtype:trojan-activity;sid:81969342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.63.132.65"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106243/; classtype:trojan-activity;sid:81969343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.135.20.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106244/; classtype:trojan-activity;sid:81969344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.30.71"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106245/; classtype:trojan-activity;sid:81969345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.239.233.220"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106240/; classtype:trojan-activity;sid:81969340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.5.23.47"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106239/; classtype:trojan-activity;sid:81969339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.3.145.32"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106238/; classtype:trojan-activity;sid:81969338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.1.211"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106237/; classtype:trojan-activity;sid:81969337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.118.177"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106236/; classtype:trojan-activity;sid:81969336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.173.78"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106235/; classtype:trojan-activity;sid:81969335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.31.211.135"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106234/; classtype:trojan-activity;sid:81969334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.3.145.32"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106233/; classtype:trojan-activity;sid:81969333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.70.178"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106232/; classtype:trojan-activity;sid:81969332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.1.211"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106231/; classtype:trojan-activity;sid:81969331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.58.105"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106230/; classtype:trojan-activity;sid:81969330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.194.161.234"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106229/; classtype:trojan-activity;sid:81969329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.109.199"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106228/; classtype:trojan-activity;sid:81969328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.118.177"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106227/; classtype:trojan-activity;sid:81969327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.30.91"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106226/; classtype:trojan-activity;sid:81969326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.138.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106225/; classtype:trojan-activity;sid:81969325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.49.40"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106224/; classtype:trojan-activity;sid:81969324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.112.183"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106223/; classtype:trojan-activity;sid:81969323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/1.png"; depth:11; endswith; nocase; http.host; content:"ctgame.tk"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106221/; classtype:trojan-activity;sid:81969321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/0.png"; depth:11; endswith; nocase; http.host; content:"ctgame.tk"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106222/; classtype:trojan-activity;sid:81969322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.214.142"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106220/; classtype:trojan-activity;sid:81969320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.7.113"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106219/; classtype:trojan-activity;sid:81969319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.106.146"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106218/; classtype:trojan-activity;sid:81969318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.58.105"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106217/; classtype:trojan-activity;sid:81969317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.x86"; depth:19; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106214/; classtype:trojan-activity;sid:81969314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.47.162"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106215/; classtype:trojan-activity;sid:81969315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.mips"; depth:20; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106216/; classtype:trojan-activity;sid:81969316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.mpsl"; depth:20; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106209/; classtype:trojan-activity;sid:81969309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.sh4"; depth:19; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106210/; classtype:trojan-activity;sid:81969310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.m68k"; depth:20; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106211/; classtype:trojan-activity;sid:81969311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.arm7"; depth:20; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106212/; classtype:trojan-activity;sid:81969312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.arm6"; depth:20; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106213/; classtype:trojan-activity;sid:81969313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.arm5"; depth:20; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106206/; classtype:trojan-activity;sid:81969306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.arm"; depth:19; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106207/; classtype:trojan-activity;sid:81969307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.ppc"; depth:19; endswith; nocase; http.host; content:"45.138.24.93"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106208/; classtype:trojan-activity;sid:81969308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.138.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106205/; classtype:trojan-activity;sid:81969305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.136.212"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106204/; classtype:trojan-activity;sid:81969304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.20.231"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106203/; classtype:trojan-activity;sid:81969303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.214.142"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106202/; classtype:trojan-activity;sid:81969302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.41.68"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106201/; classtype:trojan-activity;sid:81969301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.49.40"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106200/; classtype:trojan-activity;sid:81969300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.24.176"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106199/; classtype:trojan-activity;sid:81969299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.42.115"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106198/; classtype:trojan-activity;sid:81969298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.56.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106197/; classtype:trojan-activity;sid:81969297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.115.1"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106196/; classtype:trojan-activity;sid:81969296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.55.235"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106195/; classtype:trojan-activity;sid:81969295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"187.135.141.192"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106194/; classtype:trojan-activity;sid:81969294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkorea/pornhub.arm7"; depth:20; endswith; nocase; http.host; content:"195.58.39.176"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106193/; classtype:trojan-activity;sid:81969293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.9.225"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106192/; classtype:trojan-activity;sid:81969292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.86.234.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106191/; classtype:trojan-activity;sid:81969291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.24.176"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106190/; classtype:trojan-activity;sid:81969290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.115.1"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106189/; classtype:trojan-activity;sid:81969289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.229.230.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106188/; classtype:trojan-activity;sid:81969288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.42.115"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106187/; classtype:trojan-activity;sid:81969287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.55.235"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106186/; classtype:trojan-activity;sid:81969286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.84.154"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106185/; classtype:trojan-activity;sid:81969285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.125.218"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106184/; classtype:trojan-activity;sid:81969284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106183/; classtype:trojan-activity;sid:81969283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.117.12"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106182/; classtype:trojan-activity;sid:81969282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.9.225"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106181/; classtype:trojan-activity;sid:81969281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.194.148.123"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106180/; classtype:trojan-activity;sid:81969280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.14.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106179/; classtype:trojan-activity;sid:81969279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.126.197"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106178/; classtype:trojan-activity;sid:81969278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.93.6"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106177/; classtype:trojan-activity;sid:81969277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.14.222"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106176/; classtype:trojan-activity;sid:81969276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.40.254"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106175/; classtype:trojan-activity;sid:81969275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.107.127"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106173/; classtype:trojan-activity;sid:81969273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.126.197"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106174/; classtype:trojan-activity;sid:81969274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.78.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106172/; classtype:trojan-activity;sid:81969272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.118.34"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106171/; classtype:trojan-activity;sid:81969271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.55.60"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106170/; classtype:trojan-activity;sid:81969270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"221.15.118.165"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106169/; classtype:trojan-activity;sid:81969269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.107"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106168/; classtype:trojan-activity;sid:81969268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.203"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106166/; classtype:trojan-activity;sid:81969266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.217.117.40"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106167/; classtype:trojan-activity;sid:81969267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.85.173.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106165/; classtype:trojan-activity;sid:81969265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.231.128.153"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106161/; classtype:trojan-activity;sid:81969261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.29.136"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106162/; classtype:trojan-activity;sid:81969262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.59.252.120"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106163/; classtype:trojan-activity;sid:81969263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.224.176.27"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106164/; classtype:trojan-activity;sid:81969264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.202.70.155"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106160/; classtype:trojan-activity;sid:81969260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.91.3"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106159/; classtype:trojan-activity;sid:81969259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.137.170.17"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106155/; classtype:trojan-activity;sid:81969255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.73.107"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106156/; classtype:trojan-activity;sid:81969256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"136.34.57.224"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106157/; classtype:trojan-activity;sid:81969257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.94.181.189"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106158/; classtype:trojan-activity;sid:81969258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.139.21.190"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106151/; classtype:trojan-activity;sid:81969251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.58.188"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106152/; classtype:trojan-activity;sid:81969252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.59.58.164"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106153/; classtype:trojan-activity;sid:81969253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.242.211.185"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106154/; classtype:trojan-activity;sid:81969254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.99.42.165"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106150/; classtype:trojan-activity;sid:81969250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.93.6"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106149/; classtype:trojan-activity;sid:81969249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.119.161"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106148/; classtype:trojan-activity;sid:81969248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.59.176.184"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106147/; classtype:trojan-activity;sid:81969247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.108.69.29"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106146/; classtype:trojan-activity;sid:81969246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.24.107"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106145/; classtype:trojan-activity;sid:81969245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.78.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106144/; classtype:trojan-activity;sid:81969244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.17.54"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106143/; classtype:trojan-activity;sid:81969243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"219.68.244.6"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106142/; classtype:trojan-activity;sid:81969242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.31.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106141/; classtype:trojan-activity;sid:81969241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.13.68"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106140/; classtype:trojan-activity;sid:81969240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.6.240.232"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106139/; classtype:trojan-activity;sid:81969239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.4.118"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106138/; classtype:trojan-activity;sid:81969238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.sh4"; depth:15; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106135/; classtype:trojan-activity;sid:81969235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106136/; classtype:trojan-activity;sid:81969236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.mips"; depth:16; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106137/; classtype:trojan-activity;sid:81969237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.35.237"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106134/; classtype:trojan-activity;sid:81969234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.51.160"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106133/; classtype:trojan-activity;sid:81969233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106132/; classtype:trojan-activity;sid:81969232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.ppc"; depth:15; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106130/; classtype:trojan-activity;sid:81969230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106131/; classtype:trojan-activity;sid:81969231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.arm5"; depth:16; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106125/; classtype:trojan-activity;sid:81969225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.m68k"; depth:16; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106126/; classtype:trojan-activity;sid:81969226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106127/; classtype:trojan-activity;sid:81969227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.x86"; depth:15; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106128/; classtype:trojan-activity;sid:81969228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106129/; classtype:trojan-activity;sid:81969229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106123/; classtype:trojan-activity;sid:81969223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.spc"; depth:15; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106124/; classtype:trojan-activity;sid:81969224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.92.170"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106122/; classtype:trojan-activity;sid:81969222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.33.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106121/; classtype:trojan-activity;sid:81969221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.85.202"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106120/; classtype:trojan-activity;sid:81969220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106119/; classtype:trojan-activity;sid:81969219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106116/; classtype:trojan-activity;sid:81969216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106117/; classtype:trojan-activity;sid:81969217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.arm7"; depth:16; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106118/; classtype:trojan-activity;sid:81969218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.mpsl"; depth:16; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106115/; classtype:trojan-activity;sid:81969215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.124.38"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106114/; classtype:trojan-activity;sid:81969214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.arm"; depth:15; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106112/; classtype:trojan-activity;sid:81969212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106113/; classtype:trojan-activity;sid:81969213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106111/; classtype:trojan-activity;sid:81969211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106110/; classtype:trojan-activity;sid:81969210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.15.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106109/; classtype:trojan-activity;sid:81969209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/100up.arm6"; depth:16; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106108/; classtype:trojan-activity;sid:81969208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eksgbins.sh"; depth:12; endswith; nocase; http.host; content:"107.174.24.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106107/; classtype:trojan-activity;sid:81969207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/100up.sh"; depth:9; endswith; nocase; http.host; content:"107.172.156.122"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106106/; classtype:trojan-activity;sid:81969206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.242.91.219"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106105/; classtype:trojan-activity;sid:81969205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.2.28"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106104/; classtype:trojan-activity;sid:81969204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.67.132"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106103/; classtype:trojan-activity;sid:81969203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.6.240.232"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106102/; classtype:trojan-activity;sid:81969202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.92.170"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106101/; classtype:trojan-activity;sid:81969201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl27.124.10.236/chrome_elf.dll"; depth:32; endswith; nocase; http.host; content:"216.83.57.208"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106100/; classtype:trojan-activity;sid:81969200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.60.7"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106099/; classtype:trojan-activity;sid:81969199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.85.202"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106098/; classtype:trojan-activity;sid:81969198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.91.55"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106097/; classtype:trojan-activity;sid:81969197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.33.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106096/; classtype:trojan-activity;sid:81969196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.35.52"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106095/; classtype:trojan-activity;sid:81969195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.103.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106094/; classtype:trojan-activity;sid:81969194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.39.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106093/; classtype:trojan-activity;sid:81969193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.15.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106092/; classtype:trojan-activity;sid:81969192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.2.28"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106091/; classtype:trojan-activity;sid:81969191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.171.110"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106090/; classtype:trojan-activity;sid:81969190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.8.130"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106089/; classtype:trojan-activity;sid:81969189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.61.97.64"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106088/; classtype:trojan-activity;sid:81969188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.35.52"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106087/; classtype:trojan-activity;sid:81969187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.60.7"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106086/; classtype:trojan-activity;sid:81969186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.103.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106085/; classtype:trojan-activity;sid:81969185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.171.110"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106084/; classtype:trojan-activity;sid:81969184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.39.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106083/; classtype:trojan-activity;sid:81969183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.124.38"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106082/; classtype:trojan-activity;sid:81969182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.131.47"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106081/; classtype:trojan-activity;sid:81969181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.139.147"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106080/; classtype:trojan-activity;sid:81969180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.8.130"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106079/; classtype:trojan-activity;sid:81969179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.66.140"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106078/; classtype:trojan-activity;sid:81969178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.39.211"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106077/; classtype:trojan-activity;sid:81969177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.99.45"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106076/; classtype:trojan-activity;sid:81969176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.90.137"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106075/; classtype:trojan-activity;sid:81969175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.39.211"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106074/; classtype:trojan-activity;sid:81969174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.49.77.222"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106073/; classtype:trojan-activity;sid:81969173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.26.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106070/; classtype:trojan-activity;sid:81969170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.74.215"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106071/; classtype:trojan-activity;sid:81969171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.222.174.207"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106072/; classtype:trojan-activity;sid:81969172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"221.14.162.20"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106068/; classtype:trojan-activity;sid:81969168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.114.88.240"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106069/; classtype:trojan-activity;sid:81969169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.154.123.21"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106064/; classtype:trojan-activity;sid:81969164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.218.73.45"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106065/; classtype:trojan-activity;sid:81969165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.61.110.120"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106066/; classtype:trojan-activity;sid:81969166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.248.148.18"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106067/; classtype:trojan-activity;sid:81969167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.13.236"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106062/; classtype:trojan-activity;sid:81969162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.17.135"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106063/; classtype:trojan-activity;sid:81969163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.95.20.28"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106057/; classtype:trojan-activity;sid:81969157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.54.161"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106058/; classtype:trojan-activity;sid:81969158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.154.175.200"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106059/; classtype:trojan-activity;sid:81969159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.101.252"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106060/; classtype:trojan-activity;sid:81969160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.228.34.188"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106061/; classtype:trojan-activity;sid:81969161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.12.191"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106054/; classtype:trojan-activity;sid:81969154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.53.203.161"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106055/; classtype:trojan-activity;sid:81969155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.40.209"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106056/; classtype:trojan-activity;sid:81969156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.21.176"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_11; reference:url, urlhaus.abuse.ch/url/1106053/; classtype:trojan-activity;sid:81969153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.4.73"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106052/; classtype:trojan-activity;sid:81969152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.31.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106051/; classtype:trojan-activity;sid:81969151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.86.117"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106050/; classtype:trojan-activity;sid:81969150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.121.169"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106049/; classtype:trojan-activity;sid:81969149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.231.59.220"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106048/; classtype:trojan-activity;sid:81969148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.90.137"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106047/; classtype:trojan-activity;sid:81969147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.171.14"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106046/; classtype:trojan-activity;sid:81969146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.99.45"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106045/; classtype:trojan-activity;sid:81969145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.21.34"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106044/; classtype:trojan-activity;sid:81969144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.62.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106043/; classtype:trojan-activity;sid:81969143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.73"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106042/; classtype:trojan-activity;sid:81969142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.21.176"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106041/; classtype:trojan-activity;sid:81969141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.120.74"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106040/; classtype:trojan-activity;sid:81969140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.69.243"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106039/; classtype:trojan-activity;sid:81969139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.62.137"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106038/; classtype:trojan-activity;sid:81969138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.171.14"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106037/; classtype:trojan-activity;sid:81969137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.62.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106036/; classtype:trojan-activity;sid:81969136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.82.170"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106035/; classtype:trojan-activity;sid:81969135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.78.125"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106034/; classtype:trojan-activity;sid:81969134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl156.226.23.236/chrome_elf.dll"; depth:33; endswith; nocase; http.host; content:"216.83.57.208"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106033/; classtype:trojan-activity;sid:81969133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.1.238"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106032/; classtype:trojan-activity;sid:81969132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.109.98"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106031/; classtype:trojan-activity;sid:81969131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.30.181"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106030/; classtype:trojan-activity;sid:81969130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.180.237.212"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106029/; classtype:trojan-activity;sid:81969129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.82.170"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106027/; classtype:trojan-activity;sid:81969127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.180.62"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106028/; classtype:trojan-activity;sid:81969128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.236.161.72"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106026/; classtype:trojan-activity;sid:81969126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.44.78"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106025/; classtype:trojan-activity;sid:81969125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.57.40"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106024/; classtype:trojan-activity;sid:81969124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.87.226"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106023/; classtype:trojan-activity;sid:81969123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.180.62"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106022/; classtype:trojan-activity;sid:81969122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.104.63"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106021/; classtype:trojan-activity;sid:81969121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"210.180.237.212"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106020/; classtype:trojan-activity;sid:81969120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.30.181"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106019/; classtype:trojan-activity;sid:81969119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.84.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106018/; classtype:trojan-activity;sid:81969118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.87.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106017/; classtype:trojan-activity;sid:81969117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.114.36"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106016/; classtype:trojan-activity;sid:81969116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.87.151"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106015/; classtype:trojan-activity;sid:81969115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.39.157"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106014/; classtype:trojan-activity;sid:81969114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.172.176.30"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106013/; classtype:trojan-activity;sid:81969113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.65.234"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106012/; classtype:trojan-activity;sid:81969112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.186.47"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106011/; classtype:trojan-activity;sid:81969111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.123.53"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106010/; classtype:trojan-activity;sid:81969110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/penelop/updatewin2.exe"; depth:29; endswith; nocase; http.host; content:"jfas.top"; depth:8; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106009/; classtype:trojan-activity;sid:81969109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.120.12"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106008/; classtype:trojan-activity;sid:81969108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.39.157"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106007/; classtype:trojan-activity;sid:81969107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.87.151"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106006/; classtype:trojan-activity;sid:81969106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.48.194"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106005/; classtype:trojan-activity;sid:81969105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.52.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106004/; classtype:trojan-activity;sid:81969104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.117.110"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106003/; classtype:trojan-activity;sid:81969103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.spc"; depth:17; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106002/; classtype:trojan-activity;sid:81969102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.arc"; depth:17; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106001/; classtype:trojan-activity;sid:81969101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1106000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.sh4"; depth:17; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1106000/; classtype:trojan-activity;sid:81969100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.arm5"; depth:18; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105995/; classtype:trojan-activity;sid:81969095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.arm"; depth:17; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105996/; classtype:trojan-activity;sid:81969096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.mips"; depth:18; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105997/; classtype:trojan-activity;sid:81969097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.211.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105998/; classtype:trojan-activity;sid:81969098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.arm6"; depth:18; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105999/; classtype:trojan-activity;sid:81969099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.m68k"; depth:18; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105991/; classtype:trojan-activity;sid:81969091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.ppc"; depth:17; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105992/; classtype:trojan-activity;sid:81969092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.arm7"; depth:18; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105993/; classtype:trojan-activity;sid:81969093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nemesis.mpsl"; depth:18; endswith; nocase; http.host; content:"203.159.80.164"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105994/; classtype:trojan-activity;sid:81969094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.65.234"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105990/; classtype:trojan-activity;sid:81969090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.83.73"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105989/; classtype:trojan-activity;sid:81969089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.211.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105988/; classtype:trojan-activity;sid:81969088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.48.194"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105987/; classtype:trojan-activity;sid:81969087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.8.119"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105986/; classtype:trojan-activity;sid:81969086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.36.175"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105985/; classtype:trojan-activity;sid:81969085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.123.53"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105984/; classtype:trojan-activity;sid:81969084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.144"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105983/; classtype:trojan-activity;sid:81969083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"175.10.159.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105982/; classtype:trojan-activity;sid:81969082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.47.123.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105980/; classtype:trojan-activity;sid:81969080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.121.175.35"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105981/; classtype:trojan-activity;sid:81969081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.217.121.86"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105979/; classtype:trojan-activity;sid:81969079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.134.185.112"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105978/; classtype:trojan-activity;sid:81969078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"60.214.85.149"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105974/; classtype:trojan-activity;sid:81969074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.2.71"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105975/; classtype:trojan-activity;sid:81969075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"180.108.21.172"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105976/; classtype:trojan-activity;sid:81969076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"61.53.74.236"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105977/; classtype:trojan-activity;sid:81969077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.42.60"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105973/; classtype:trojan-activity;sid:81969073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.88.153.5"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105972/; classtype:trojan-activity;sid:81969072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"60.220.159.240"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105970/; classtype:trojan-activity;sid:81969070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.78.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105971/; classtype:trojan-activity;sid:81969071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.99.44.229"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105966/; classtype:trojan-activity;sid:81969066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.90.3"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105967/; classtype:trojan-activity;sid:81969067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.231.184.245"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105968/; classtype:trojan-activity;sid:81969068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.121.159.147"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105969/; classtype:trojan-activity;sid:81969069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"217.65.221.197"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105965/; classtype:trojan-activity;sid:81969065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.83.73"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105964/; classtype:trojan-activity;sid:81969064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.27.125.109"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105963/; classtype:trojan-activity;sid:81969063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.62.151"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105962/; classtype:trojan-activity;sid:81969062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.25.56"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105961/; classtype:trojan-activity;sid:81969061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.80.98"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105959/; classtype:trojan-activity;sid:81969059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.64.76"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105960/; classtype:trojan-activity;sid:81969060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.46.196"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105958/; classtype:trojan-activity;sid:81969058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.126.18"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105957/; classtype:trojan-activity;sid:81969057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.209.126.74"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105956/; classtype:trojan-activity;sid:81969056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.97.70"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105955/; classtype:trojan-activity;sid:81969055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.13.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105954/; classtype:trojan-activity;sid:81969054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.25.56"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105953/; classtype:trojan-activity;sid:81969053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.80.98"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105952/; classtype:trojan-activity;sid:81969052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.186.88"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105951/; classtype:trojan-activity;sid:81969051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.26.215"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105950/; classtype:trojan-activity;sid:81969050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.46.196"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105949/; classtype:trojan-activity;sid:81969049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.97.70"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105948/; classtype:trojan-activity;sid:81969048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.38.89"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105947/; classtype:trojan-activity;sid:81969047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.45.113"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105946/; classtype:trojan-activity;sid:81969046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.30.254"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105945/; classtype:trojan-activity;sid:81969045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.127.250"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105944/; classtype:trojan-activity;sid:81969044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.201.194.209"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105943/; classtype:trojan-activity;sid:81969043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.131.47"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105942/; classtype:trojan-activity;sid:81969042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"126.39.155.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105941/; classtype:trojan-activity;sid:81969041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.186.88"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105940/; classtype:trojan-activity;sid:81969040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.91.97"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105939/; classtype:trojan-activity;sid:81969039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.120.18"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105938/; classtype:trojan-activity;sid:81969038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.arm7"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105937/; classtype:trojan-activity;sid:81969037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.sparc"; depth:14; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105935/; classtype:trojan-activity;sid:81969035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.i586"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105936/; classtype:trojan-activity;sid:81969036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.m68k"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105931/; classtype:trojan-activity;sid:81969031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.mips"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105932/; classtype:trojan-activity;sid:81969032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.mpsl"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105933/; classtype:trojan-activity;sid:81969033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.ppc"; depth:12; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105934/; classtype:trojan-activity;sid:81969034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.i686"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105929/; classtype:trojan-activity;sid:81969029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.sh4"; depth:12; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105930/; classtype:trojan-activity;sid:81969030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.arm5"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105928/; classtype:trojan-activity;sid:81969028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.arm4"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105926/; classtype:trojan-activity;sid:81969026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy.arm6"; depth:13; endswith; nocase; http.host; content:"104.168.173.119"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105927/; classtype:trojan-activity;sid:81969027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.51.2"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105925/; classtype:trojan-activity;sid:81969025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.30.254"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105924/; classtype:trojan-activity;sid:81969024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"126.39.155.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105923/; classtype:trojan-activity;sid:81969023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.120.18"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105922/; classtype:trojan-activity;sid:81969022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.126.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105921/; classtype:trojan-activity;sid:81969021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.51.2"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105920/; classtype:trojan-activity;sid:81969020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.13.201"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105919/; classtype:trojan-activity;sid:81969019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.54.225"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105918/; classtype:trojan-activity;sid:81969018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-5.8-6.snoopy"; depth:15; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105917/; classtype:trojan-activity;sid:81969017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-7.snoopy"; depth:15; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105915/; classtype:trojan-activity;sid:81969015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-6.8-k.snoopy"; depth:15; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105916/; classtype:trojan-activity;sid:81969016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-6.snoopy"; depth:15; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105914/; classtype:trojan-activity;sid:81969014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s-h.4-.snoopy"; depth:14; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105907/; classtype:trojan-activity;sid:81969007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-p.s-l.snoopy"; depth:15; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105908/; classtype:trojan-activity;sid:81969008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-i.p-s.snoopy"; depth:15; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105909/; classtype:trojan-activity;sid:81969009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-5.snoopy"; depth:15; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105910/; classtype:trojan-activity;sid:81969010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-3.2-.snoopy"; depth:14; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105911/; classtype:trojan-activity;sid:81969011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-4.snoopy"; depth:15; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105912/; classtype:trojan-activity;sid:81969012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-8.6-.snoopy"; depth:14; endswith; nocase; http.host; content:"107.172.141.115"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105913/; classtype:trojan-activity;sid:81969013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.215.210.194"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105906/; classtype:trojan-activity;sid:81969006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.22.51"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105905/; classtype:trojan-activity;sid:81969005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.182.181"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105904/; classtype:trojan-activity;sid:81969004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.91.97"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105903/; classtype:trojan-activity;sid:81969003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.126.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105902/; classtype:trojan-activity;sid:81969002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.93.21.133"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105901/; classtype:trojan-activity;sid:81969001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.201.199.181"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105900/; classtype:trojan-activity;sid:81969000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.45.113"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105899/; classtype:trojan-activity;sid:81968999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.202.67.244"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105898/; classtype:trojan-activity;sid:81968998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.13.201"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105897/; classtype:trojan-activity;sid:81968997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.182.181"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105896/; classtype:trojan-activity;sid:81968996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.91.152"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105895/; classtype:trojan-activity;sid:81968995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.72.167.202"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105894/; classtype:trojan-activity;sid:81968994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.80.21"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105893/; classtype:trojan-activity;sid:81968993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.217.121.173"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105892/; classtype:trojan-activity;sid:81968992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.206.8"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105890/; classtype:trojan-activity;sid:81968990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.5.39.124"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105891/; classtype:trojan-activity;sid:81968991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.179.175.218"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105889/; classtype:trojan-activity;sid:81968989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.141.155.128"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105888/; classtype:trojan-activity;sid:81968988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.199.230"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105886/; classtype:trojan-activity;sid:81968986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.194.164.100"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105887/; classtype:trojan-activity;sid:81968987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.196.71.171"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105884/; classtype:trojan-activity;sid:81968984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.137.72.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105885/; classtype:trojan-activity;sid:81968985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.251.18.204"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105881/; classtype:trojan-activity;sid:81968981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.96.36.167"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105882/; classtype:trojan-activity;sid:81968982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.46.47.75"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105883/; classtype:trojan-activity;sid:81968983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.192.226.194"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105877/; classtype:trojan-activity;sid:81968977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.85.175.125"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105878/; classtype:trojan-activity;sid:81968978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.89.240.206"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105879/; classtype:trojan-activity;sid:81968979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.202.67.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105880/; classtype:trojan-activity;sid:81968980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.61.99.10"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105874/; classtype:trojan-activity;sid:81968974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.41.209"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105875/; classtype:trojan-activity;sid:81968975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.44.213.232"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105876/; classtype:trojan-activity;sid:81968976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.75.213"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105873/; classtype:trojan-activity;sid:81968973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.49.30"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105872/; classtype:trojan-activity;sid:81968972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.119.43"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105871/; classtype:trojan-activity;sid:81968971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.93.21.133"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105870/; classtype:trojan-activity;sid:81968970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.43.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105869/; classtype:trojan-activity;sid:81968969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.10.182"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105868/; classtype:trojan-activity;sid:81968968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.38.202"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105867/; classtype:trojan-activity;sid:81968967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.12.222"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105866/; classtype:trojan-activity;sid:81968966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.14.34"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105865/; classtype:trojan-activity;sid:81968965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.spc"; depth:24; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105864/; classtype:trojan-activity;sid:81968964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.163.235.36"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105863/; classtype:trojan-activity;sid:81968963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.56.125"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105862/; classtype:trojan-activity;sid:81968962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.176.108.102"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105861/; classtype:trojan-activity;sid:81968961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.71.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105860/; classtype:trojan-activity;sid:81968960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.119.43"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105859/; classtype:trojan-activity;sid:81968959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.23.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105858/; classtype:trojan-activity;sid:81968958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.43.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105857/; classtype:trojan-activity;sid:81968957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.65.237"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105856/; classtype:trojan-activity;sid:81968956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.49.30"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105855/; classtype:trojan-activity;sid:81968955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.13.65"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105854/; classtype:trojan-activity;sid:81968954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.176.108.102"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105853/; classtype:trojan-activity;sid:81968953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.88.242.31"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105852/; classtype:trojan-activity;sid:81968952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.127.11"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105851/; classtype:trojan-activity;sid:81968951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.71.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105850/; classtype:trojan-activity;sid:81968950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.50.155"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105849/; classtype:trojan-activity;sid:81968949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.126.46"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105848/; classtype:trojan-activity;sid:81968948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.99.44.32"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105847/; classtype:trojan-activity;sid:81968947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.87.202"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105846/; classtype:trojan-activity;sid:81968946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.sh4"; depth:24; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105843/; classtype:trojan-activity;sid:81968943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.arm6"; depth:25; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105844/; classtype:trojan-activity;sid:81968944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.mips"; depth:25; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105845/; classtype:trojan-activity;sid:81968945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.ppc"; depth:24; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105841/; classtype:trojan-activity;sid:81968941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.m68k"; depth:25; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105842/; classtype:trojan-activity;sid:81968942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.arm5"; depth:25; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105838/; classtype:trojan-activity;sid:81968938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.arm"; depth:24; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105839/; classtype:trojan-activity;sid:81968939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beastmode/b3astmode.mpsl"; depth:25; endswith; nocase; http.host; content:"91.205.173.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105840/; classtype:trojan-activity;sid:81968940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.23.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105837/; classtype:trojan-activity;sid:81968937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.65.237"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105836/; classtype:trojan-activity;sid:81968936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/x64.com"; depth:11; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105835/; classtype:trojan-activity;sid:81968935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/ie.exe"; depth:10; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105834/; classtype:trojan-activity;sid:81968934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"118.101.7.28"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105831/; classtype:trojan-activity;sid:81968931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/64a1.com"; depth:12; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105832/; classtype:trojan-activity;sid:81968932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/32a1.com"; depth:12; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105833/; classtype:trojan-activity;sid:81968933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/win.com"; depth:11; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105829/; classtype:trojan-activity;sid:81968929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"49.158.201.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105830/; classtype:trojan-activity;sid:81968930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/delete.exe"; depth:14; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105827/; classtype:trojan-activity;sid:81968927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"220.81.134.72"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105828/; classtype:trojan-activity;sid:81968928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/new/svchost.exe"; depth:19; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105825/; classtype:trojan-activity;sid:81968925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/kch.com"; depth:11; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105826/; classtype:trojan-activity;sid:81968926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.13.65"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105824/; classtype:trojan-activity;sid:81968924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.44.153"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105823/; classtype:trojan-activity;sid:81968923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.88.242.31"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105822/; classtype:trojan-activity;sid:81968922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/host_agjhgb160.bin"; depth:19; endswith; nocase; http.host; content:"ea47ad.com"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105821/; classtype:trojan-activity;sid:81968921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logger_rufeqpmwky121.bin"; depth:25; endswith; nocase; http.host; content:"nlemmy.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105819/; classtype:trojan-activity;sid:81968919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logger_rufeqpmwky121.bin"; depth:25; endswith; nocase; http.host; content:"nlenny.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105820/; classtype:trojan-activity;sid:81968920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.17.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105818/; classtype:trojan-activity;sid:81968918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"187.233.234.215"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105817/; classtype:trojan-activity;sid:81968917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.10.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105816/; classtype:trojan-activity;sid:81968916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.126.46"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105815/; classtype:trojan-activity;sid:81968915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.15.118"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105814/; classtype:trojan-activity;sid:81968914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.202.70.172"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105813/; classtype:trojan-activity;sid:81968913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.222.160.34"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105812/; classtype:trojan-activity;sid:81968912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.39.213"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105811/; classtype:trojan-activity;sid:81968911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.40.254"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105810/; classtype:trojan-activity;sid:81968910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.75.75"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105809/; classtype:trojan-activity;sid:81968909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.99.43.67"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105808/; classtype:trojan-activity;sid:81968908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.17.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105807/; classtype:trojan-activity;sid:81968907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.26.171"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105806/; classtype:trojan-activity;sid:81968906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.10.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105805/; classtype:trojan-activity;sid:81968905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.53.153"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105804/; classtype:trojan-activity;sid:81968904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.202.70.172"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105803/; classtype:trojan-activity;sid:81968903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.59.54"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105802/; classtype:trojan-activity;sid:81968902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.202.69.246"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105801/; classtype:trojan-activity;sid:81968901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.85.25"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105800/; classtype:trojan-activity;sid:81968900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.99.44.32"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105799/; classtype:trojan-activity;sid:81968899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantom.exe"; depth:12; endswith; nocase; http.host; content:"74.119.192.244"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105798/; classtype:trojan-activity;sid:81968898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.96.38"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105797/; classtype:trojan-activity;sid:81968897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.75.75"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105796/; classtype:trojan-activity;sid:81968896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.20.231"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105795/; classtype:trojan-activity;sid:81968895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.115.171"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105794/; classtype:trojan-activity;sid:81968894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.84.237"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105793/; classtype:trojan-activity;sid:81968893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.85.25"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105792/; classtype:trojan-activity;sid:81968892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.59.54"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105791/; classtype:trojan-activity;sid:81968891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.93.23.155"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105790/; classtype:trojan-activity;sid:81968890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.86.49"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105789/; classtype:trojan-activity;sid:81968889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.247.206.91"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105788/; classtype:trojan-activity;sid:81968888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.194.148.18"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105787/; classtype:trojan-activity;sid:81968887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.202.69.246"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105786/; classtype:trojan-activity;sid:81968886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.77.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105785/; classtype:trojan-activity;sid:81968885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.57"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105784/; classtype:trojan-activity;sid:81968884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.84.237"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105783/; classtype:trojan-activity;sid:81968883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"76.89.107.69"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105782/; classtype:trojan-activity;sid:81968882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.79.196"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105781/; classtype:trojan-activity;sid:81968881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"223.21.119.107"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105780/; classtype:trojan-activity;sid:81968880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.118.151.197"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105779/; classtype:trojan-activity;sid:81968879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.152"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105776/; classtype:trojan-activity;sid:81968876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.68.97.207"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105777/; classtype:trojan-activity;sid:81968877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"203.115.85.91"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105778/; classtype:trojan-activity;sid:81968878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.123.162"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105775/; classtype:trojan-activity;sid:81968875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.118.41"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105774/; classtype:trojan-activity;sid:81968874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.51.226"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105771/; classtype:trojan-activity;sid:81968871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"162.191.165.238"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105772/; classtype:trojan-activity;sid:81968872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"176.113.161.71"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105773/; classtype:trojan-activity;sid:81968873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"61.52.34.197"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105770/; classtype:trojan-activity;sid:81968870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.92.156.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105769/; classtype:trojan-activity;sid:81968869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"124.254.210.69"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105768/; classtype:trojan-activity;sid:81968868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.6.192.69"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105764/; classtype:trojan-activity;sid:81968864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.204.219.190"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105765/; classtype:trojan-activity;sid:81968865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.47.90.162"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105766/; classtype:trojan-activity;sid:81968866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.249.86.66"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105767/; classtype:trojan-activity;sid:81968867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.121.115.171"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105763/; classtype:trojan-activity;sid:81968863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.86.49"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105762/; classtype:trojan-activity;sid:81968862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.49.221"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105761/; classtype:trojan-activity;sid:81968861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.223.10.163"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105760/; classtype:trojan-activity;sid:81968860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"179.225.152.238"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105759/; classtype:trojan-activity;sid:81968859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.38.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105758/; classtype:trojan-activity;sid:81968858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.23.99"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105757/; classtype:trojan-activity;sid:81968857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.77.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105756/; classtype:trojan-activity;sid:81968856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.123.217.128"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105755/; classtype:trojan-activity;sid:81968855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.17.57"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105754/; classtype:trojan-activity;sid:81968854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"75.176.213.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105753/; classtype:trojan-activity;sid:81968853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.223.10.163"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105752/; classtype:trojan-activity;sid:81968852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.202.67.6"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105751/; classtype:trojan-activity;sid:81968851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.114.51"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105750/; classtype:trojan-activity;sid:81968850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.spc"; depth:13; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105748/; classtype:trojan-activity;sid:81968848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm"; depth:13; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105749/; classtype:trojan-activity;sid:81968849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.m68k"; depth:14; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105747/; classtype:trojan-activity;sid:81968847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.ppc"; depth:13; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105745/; classtype:trojan-activity;sid:81968845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.sh4"; depth:13; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105746/; classtype:trojan-activity;sid:81968846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm6"; depth:14; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105744/; classtype:trojan-activity;sid:81968844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mips"; depth:14; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105743/; classtype:trojan-activity;sid:81968843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mpsl"; depth:14; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105742/; classtype:trojan-activity;sid:81968842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.97.46"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105741/; classtype:trojan-activity;sid:81968841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.38.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105740/; classtype:trojan-activity;sid:81968840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.17.57"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105739/; classtype:trojan-activity;sid:81968839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"47.136.96.53"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105738/; classtype:trojan-activity;sid:81968838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.114.202"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105737/; classtype:trojan-activity;sid:81968837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.22.120"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105736/; classtype:trojan-activity;sid:81968836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.110.191"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105735/; classtype:trojan-activity;sid:81968835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.215.210.210"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105734/; classtype:trojan-activity;sid:81968834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.97.46"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105733/; classtype:trojan-activity;sid:81968833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.69.18"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105732/; classtype:trojan-activity;sid:81968832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.29.100"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105731/; classtype:trojan-activity;sid:81968831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.93.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105730/; classtype:trojan-activity;sid:81968830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.215.210.210"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105729/; classtype:trojan-activity;sid:81968829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.3.109"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105728/; classtype:trojan-activity;sid:81968828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.31.177.39"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105727/; classtype:trojan-activity;sid:81968827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.27.83"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105726/; classtype:trojan-activity;sid:81968826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.29.100"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105725/; classtype:trojan-activity;sid:81968825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.2.183"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105724/; classtype:trojan-activity;sid:81968824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.83.11.171"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105723/; classtype:trojan-activity;sid:81968823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.30.12.254"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105722/; classtype:trojan-activity;sid:81968822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.248.144"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105721/; classtype:trojan-activity;sid:81968821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.124.209"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105720/; classtype:trojan-activity;sid:81968820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.59.103"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105719/; classtype:trojan-activity;sid:81968819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.90.236"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105718/; classtype:trojan-activity;sid:81968818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.30.12.254"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105717/; classtype:trojan-activity;sid:81968817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.13.157"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105716/; classtype:trojan-activity;sid:81968816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.21.230"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105715/; classtype:trojan-activity;sid:81968815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.124.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105714/; classtype:trojan-activity;sid:81968814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.231.59.220"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105713/; classtype:trojan-activity;sid:81968813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.27.124.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105712/; classtype:trojan-activity;sid:81968812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.90.236"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105711/; classtype:trojan-activity;sid:81968811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.81.226"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105709/; classtype:trojan-activity;sid:81968809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.25.2"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105710/; classtype:trojan-activity;sid:81968810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.13.157"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105708/; classtype:trojan-activity;sid:81968808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.115.171"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105707/; classtype:trojan-activity;sid:81968807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.84.220"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105706/; classtype:trojan-activity;sid:81968806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.124.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105705/; classtype:trojan-activity;sid:81968805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.37.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105704/; classtype:trojan-activity;sid:81968804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.26.148"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105703/; classtype:trojan-activity;sid:81968803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.41.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105702/; classtype:trojan-activity;sid:81968802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"183.239.255.195"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105701/; classtype:trojan-activity;sid:81968801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.89.74.123"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105700/; classtype:trojan-activity;sid:81968800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.140"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105696/; classtype:trojan-activity;sid:81968796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"203.115.85.137"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105697/; classtype:trojan-activity;sid:81968797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.0.32.228"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105698/; classtype:trojan-activity;sid:81968798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"223.130.28.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105699/; classtype:trojan-activity;sid:81968799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.213.40.224"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105695/; classtype:trojan-activity;sid:81968795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.108.134.182"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105694/; classtype:trojan-activity;sid:81968794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.232.0.112"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105693/; classtype:trojan-activity;sid:81968793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"119.179.58.163"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105691/; classtype:trojan-activity;sid:81968791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.96.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105692/; classtype:trojan-activity;sid:81968792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.248.113.11"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105689/; classtype:trojan-activity;sid:81968789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.2.89"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105690/; classtype:trojan-activity;sid:81968790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.96.36.114"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105686/; classtype:trojan-activity;sid:81968786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.252.128.143"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105687/; classtype:trojan-activity;sid:81968787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.79.128"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105688/; classtype:trojan-activity;sid:81968788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.187"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105685/; classtype:trojan-activity;sid:81968785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.118.174"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105684/; classtype:trojan-activity;sid:81968784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.x86"; depth:13; endswith; nocase; http.host; content:"159.65.199.92"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105683/; classtype:trojan-activity;sid:81968783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.31.82.160"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105682/; classtype:trojan-activity;sid:81968782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.123.202"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105681/; classtype:trojan-activity;sid:81968781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.38.121.226"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105680/; classtype:trojan-activity;sid:81968780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.37.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105679/; classtype:trojan-activity;sid:81968779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.56.125"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105678/; classtype:trojan-activity;sid:81968778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.41.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105677/; classtype:trojan-activity;sid:81968777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.67.28"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105676/; classtype:trojan-activity;sid:81968776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.47.72"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105675/; classtype:trojan-activity;sid:81968775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.118.174"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105674/; classtype:trojan-activity;sid:81968774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.67.28"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105672/; classtype:trojan-activity;sid:81968772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.123.202"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105673/; classtype:trojan-activity;sid:81968773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.1.234"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105671/; classtype:trojan-activity;sid:81968771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.186.248"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105670/; classtype:trojan-activity;sid:81968770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.18.20"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105669/; classtype:trojan-activity;sid:81968769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.83.120.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105668/; classtype:trojan-activity;sid:81968768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.108.202"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105667/; classtype:trojan-activity;sid:81968767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.118.154"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105666/; classtype:trojan-activity;sid:81968766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.4.62"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105665/; classtype:trojan-activity;sid:81968765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.60.158"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105664/; classtype:trojan-activity;sid:81968764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.155.202"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105663/; classtype:trojan-activity;sid:81968763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.104.160"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105662/; classtype:trojan-activity;sid:81968762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.118.154"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105661/; classtype:trojan-activity;sid:81968761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.83.120.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105660/; classtype:trojan-activity;sid:81968760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.37.234"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105659/; classtype:trojan-activity;sid:81968759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.60.158"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105658/; classtype:trojan-activity;sid:81968758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.95.54"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105657/; classtype:trojan-activity;sid:81968757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.107.142"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105656/; classtype:trojan-activity;sid:81968756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.129.251"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105655/; classtype:trojan-activity;sid:81968755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.62.206"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105654/; classtype:trojan-activity;sid:81968754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.108.129.251"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105653/; classtype:trojan-activity;sid:81968753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.22.215"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105652/; classtype:trojan-activity;sid:81968752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.115.15"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105651/; classtype:trojan-activity;sid:81968751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.---.-.-.-.-.-.--------------------------------------..--....../.....................................................................................dot"; depth:153; endswith; nocase; http.host; content:"107.173.219.80"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105650/; classtype:trojan-activity;sid:81968750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.110.45"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105649/; classtype:trojan-activity;sid:81968749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.107.142"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105648/; classtype:trojan-activity;sid:81968748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.93.198"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105647/; classtype:trojan-activity;sid:81968747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.193.91.191"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105646/; classtype:trojan-activity;sid:81968746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/yugox.exe"; depth:16; endswith; nocase; http.host; content:"zytrox.tk"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105643/; classtype:trojan-activity;sid:81968743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/legacyx.exe"; depth:18; endswith; nocase; http.host; content:"a.stro.lo.gy.t.em.r@zytrox.tk"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105644/; classtype:trojan-activity;sid:81968744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/aguerox.exe"; depth:18; endswith; nocase; http.host; content:"b.r.uce.lee.b.es.t@zytrox.tk"; depth:28; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105645/; classtype:trojan-activity;sid:81968745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/aguerox.exe"; depth:18; endswith; nocase; http.host; content:"yeq.i.u.j.ia.n.3@zytrox.tk"; depth:26; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105642/; classtype:trojan-activity;sid:81968742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/brasch.exe"; depth:17; endswith; nocase; http.host; content:"zytrox.tk"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105639/; classtype:trojan-activity;sid:81968739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/zabax.exe"; depth:16; endswith; nocase; http.host; content:"zytrox.tk"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105640/; classtype:trojan-activity;sid:81968740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/twenthfour.exe"; depth:21; endswith; nocase; http.host; content:"qu.o.t.ev.v.n.r@zytrox.tk"; depth:25; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105641/; classtype:trojan-activity;sid:81968741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/mazx.exe"; depth:15; endswith; nocase; http.host; content:"ziyker4gaming@zytrox.tk"; depth:23; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105637/; classtype:trojan-activity;sid:81968737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/gregmannyx.exe"; depth:21; endswith; nocase; http.host; content:"c.ompact.i.o.np.d.yu@zytrox.tk"; depth:30; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105638/; classtype:trojan-activity;sid:81968738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/mbachux.exe"; depth:18; endswith; nocase; http.host; content:"zytrox.tk"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105635/; classtype:trojan-activity;sid:81968735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modex/shedyx.exe"; depth:17; endswith; nocase; http.host; content:"l.oc.atevur.c@zytrox.tk"; depth:23; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105636/; classtype:trojan-activity;sid:81968736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.7.175"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105634/; classtype:trojan-activity;sid:81968734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.22.215"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105633/; classtype:trojan-activity;sid:81968733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.174.205.57"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105632/; classtype:trojan-activity;sid:81968732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.104.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105631/; classtype:trojan-activity;sid:81968731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.116.56"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105630/; classtype:trojan-activity;sid:81968730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.34.71"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105629/; classtype:trojan-activity;sid:81968729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.48.185"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105628/; classtype:trojan-activity;sid:81968728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.241"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105627/; classtype:trojan-activity;sid:81968727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.236.151.216"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105626/; classtype:trojan-activity;sid:81968726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.253"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105624/; classtype:trojan-activity;sid:81968724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.0.49.122"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105625/; classtype:trojan-activity;sid:81968725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.197.124"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105623/; classtype:trojan-activity;sid:81968723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.69.29"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105622/; classtype:trojan-activity;sid:81968722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.121.118.54"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105619/; classtype:trojan-activity;sid:81968719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.50.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105620/; classtype:trojan-activity;sid:81968720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.40.73.175"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105621/; classtype:trojan-activity;sid:81968721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.50.7.79"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105617/; classtype:trojan-activity;sid:81968717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.122.203.185"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105618/; classtype:trojan-activity;sid:81968718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.75.181.144"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105616/; classtype:trojan-activity;sid:81968716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.133.153.33"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105614/; classtype:trojan-activity;sid:81968714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.40.120.108"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105615/; classtype:trojan-activity;sid:81968715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.221.242.95"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105608/; classtype:trojan-activity;sid:81968708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.93.200"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105609/; classtype:trojan-activity;sid:81968709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.171.204.161"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105610/; classtype:trojan-activity;sid:81968710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.11.166"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105611/; classtype:trojan-activity;sid:81968711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"213.163.116.160"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105612/; classtype:trojan-activity;sid:81968712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.27.151"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105613/; classtype:trojan-activity;sid:81968713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.118"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105607/; classtype:trojan-activity;sid:81968707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/childservenodeone/bin_ebcfzp9.bin"; depth:34; endswith; nocase; http.host; content:"storage.googleapis.com"; depth:22; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105606/; classtype:trojan-activity;sid:81968706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.63.189"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105605/; classtype:trojan-activity;sid:81968705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.116.56"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105604/; classtype:trojan-activity;sid:81968704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.20.166"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105603/; classtype:trojan-activity;sid:81968703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.34.71"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105602/; classtype:trojan-activity;sid:81968702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.48.185"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105601/; classtype:trojan-activity;sid:81968701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.20.117"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105600/; classtype:trojan-activity;sid:81968700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k.name"; depth:10; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105594/; classtype:trojan-activity;sid:81968694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586.name"; depth:10; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105595/; classtype:trojan-activity;sid:81968695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc.name"; depth:11; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105596/; classtype:trojan-activity;sid:81968696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686.name"; depth:10; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105597/; classtype:trojan-activity;sid:81968697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l.name"; depth:12; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105598/; classtype:trojan-activity;sid:81968698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4.name"; depth:9; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105599/; classtype:trojan-activity;sid:81968699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l.name"; depth:12; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105593/; classtype:trojan-activity;sid:81968693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l.name"; depth:12; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105592/; classtype:trojan-activity;sid:81968692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc.name"; depth:13; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105590/; classtype:trojan-activity;sid:81968690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel.name"; depth:12; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105591/; classtype:trojan-activity;sid:81968691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.3.156.130"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105589/; classtype:trojan-activity;sid:81968689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105588/; classtype:trojan-activity;sid:81968688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.18.22"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105587/; classtype:trojan-activity;sid:81968687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.198.7.22"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105586/; classtype:trojan-activity;sid:81968686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.28.5"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105585/; classtype:trojan-activity;sid:81968685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.63.189"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105584/; classtype:trojan-activity;sid:81968684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.20.166"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105583/; classtype:trojan-activity;sid:81968683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.sh4"; depth:15; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105580/; classtype:trojan-activity;sid:81968680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.arm7"; depth:16; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105581/; classtype:trojan-activity;sid:81968681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.x86"; depth:15; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105582/; classtype:trojan-activity;sid:81968682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.ppc"; depth:15; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105579/; classtype:trojan-activity;sid:81968679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.spc"; depth:15; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105578/; classtype:trojan-activity;sid:81968678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.arm"; depth:15; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105576/; classtype:trojan-activity;sid:81968676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.m68k"; depth:16; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105577/; classtype:trojan-activity;sid:81968677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.arm5"; depth:16; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105573/; classtype:trojan-activity;sid:81968673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.mpsl"; depth:16; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105574/; classtype:trojan-activity;sid:81968674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.arm6"; depth:16; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105575/; classtype:trojan-activity;sid:81968675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.armv6l"; depth:14; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105572/; classtype:trojan-activity;sid:81968672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.i6"; depth:10; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105568/; classtype:trojan-activity;sid:81968668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.powerpc"; depth:15; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105569/; classtype:trojan-activity;sid:81968669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.mipsel"; depth:14; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105570/; classtype:trojan-activity;sid:81968670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.i5"; depth:10; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105571/; classtype:trojan-activity;sid:81968671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.235.43"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105567/; classtype:trojan-activity;sid:81968667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/zte"; depth:8; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105566/; classtype:trojan-activity;sid:81968666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/rtk"; depth:8; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105565/; classtype:trojan-activity;sid:81968665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/root"; depth:9; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105564/; classtype:trojan-activity;sid:81968664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.28.5"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105563/; classtype:trojan-activity;sid:81968663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.mips"; depth:16; endswith; nocase; http.host; content:"2.57.122.45"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105562/; classtype:trojan-activity;sid:81968662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.39.238"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105561/; classtype:trojan-activity;sid:81968661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.22.206"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105560/; classtype:trojan-activity;sid:81968660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.84.154"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105559/; classtype:trojan-activity;sid:81968659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.235.43"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105558/; classtype:trojan-activity;sid:81968658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.42.221"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105557/; classtype:trojan-activity;sid:81968657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/arm6"; depth:9; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105556/; classtype:trojan-activity;sid:81968656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/x86"; depth:8; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105555/; classtype:trojan-activity;sid:81968655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/mpsl"; depth:9; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105553/; classtype:trojan-activity;sid:81968653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/arm"; depth:8; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105554/; classtype:trojan-activity;sid:81968654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/ppc"; depth:8; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105551/; classtype:trojan-activity;sid:81968651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/mips"; depth:9; endswith; nocase; http.host; content:"108.174.60.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105552/; classtype:trojan-activity;sid:81968652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.22.206"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105550/; classtype:trojan-activity;sid:81968650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.superh"; depth:14; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105549/; classtype:trojan-activity;sid:81968649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.armv5l"; depth:14; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105548/; classtype:trojan-activity;sid:81968648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.38.88"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105547/; classtype:trojan-activity;sid:81968647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.armv7l"; depth:14; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105546/; classtype:trojan-activity;sid:81968646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.armv4l"; depth:14; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105545/; classtype:trojan-activity;sid:81968645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.42.221"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105544/; classtype:trojan-activity;sid:81968644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.m68k"; depth:12; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105543/; classtype:trojan-activity;sid:81968643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.4.68"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105542/; classtype:trojan-activity;sid:81968642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.77.57"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105541/; classtype:trojan-activity;sid:81968641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.68.4"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105540/; classtype:trojan-activity;sid:81968640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/king/protected%20client.js"; depth:27; endswith; nocase; http.host; content:"aventuramotorhome.com"; depth:21; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105539/; classtype:trojan-activity;sid:81968639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/king/attack.jpg"; depth:16; endswith; nocase; http.host; content:"aventuramotorhome.com"; depth:21; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105538/; classtype:trojan-activity;sid:81968638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"59.127.146.107"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105537/; classtype:trojan-activity;sid:81968637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"171.247.155.56"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105534/; classtype:trojan-activity;sid:81968634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"59.126.251.30"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105535/; classtype:trojan-activity;sid:81968635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"218.161.107.190"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105536/; classtype:trojan-activity;sid:81968636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keksec.mips"; depth:12; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105532/; classtype:trojan-activity;sid:81968632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fuckme.sh"; depth:10; endswith; nocase; http.host; content:"23.94.190.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105533/; classtype:trojan-activity;sid:81968633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"108.174.60.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105530/; classtype:trojan-activity;sid:81968630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skie_mips"; depth:10; endswith; nocase; http.host; content:"108.174.60.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105531/; classtype:trojan-activity;sid:81968631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.111.244.209"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105529/; classtype:trojan-activity;sid:81968629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.26.171"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105528/; classtype:trojan-activity;sid:81968628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.68.171"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105527/; classtype:trojan-activity;sid:81968627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.77.57"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105526/; classtype:trojan-activity;sid:81968626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.6.136"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105525/; classtype:trojan-activity;sid:81968625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.121.31"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105524/; classtype:trojan-activity;sid:81968624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.45.205"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105523/; classtype:trojan-activity;sid:81968623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.97.40.9"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105522/; classtype:trojan-activity;sid:81968622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.68.171"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105521/; classtype:trojan-activity;sid:81968621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"14.184.216.152"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105520/; classtype:trojan-activity;sid:81968620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.19"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105519/; classtype:trojan-activity;sid:81968619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.4.224.249"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105518/; classtype:trojan-activity;sid:81968618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.102"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105517/; classtype:trojan-activity;sid:81968617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.255.230.150"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105516/; classtype:trojan-activity;sid:81968616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.51"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105515/; classtype:trojan-activity;sid:81968615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"61.52.213.102"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105514/; classtype:trojan-activity;sid:81968614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.156.23.244"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105509/; classtype:trojan-activity;sid:81968609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.213.45.181"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105510/; classtype:trojan-activity;sid:81968610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"221.15.3.50"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105511/; classtype:trojan-activity;sid:81968611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.88.204"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105512/; classtype:trojan-activity;sid:81968612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.213.42.231"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105513/; classtype:trojan-activity;sid:81968613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.122.110"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105503/; classtype:trojan-activity;sid:81968603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.82.110"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105504/; classtype:trojan-activity;sid:81968604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.138.151.108"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105505/; classtype:trojan-activity;sid:81968605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"61.53.117.152"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105506/; classtype:trojan-activity;sid:81968606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.179.174.117"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105507/; classtype:trojan-activity;sid:81968607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.202.101.181"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105508/; classtype:trojan-activity;sid:81968608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"112.239.101.146"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105501/; classtype:trojan-activity;sid:81968601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.119.104.90"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105502/; classtype:trojan-activity;sid:81968602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.70.177"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105500/; classtype:trojan-activity;sid:81968600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.43.238"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105499/; classtype:trojan-activity;sid:81968599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.27.153"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105498/; classtype:trojan-activity;sid:81968598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.45.205"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105497/; classtype:trojan-activity;sid:81968597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.39.176"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105496/; classtype:trojan-activity;sid:81968596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.123.125.131"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105495/; classtype:trojan-activity;sid:81968595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.24.183"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105494/; classtype:trojan-activity;sid:81968594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.3.154.21"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105493/; classtype:trojan-activity;sid:81968593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.0.92"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105492/; classtype:trojan-activity;sid:81968592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.193.91.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105491/; classtype:trojan-activity;sid:81968591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.54.100"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105490/; classtype:trojan-activity;sid:81968590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.196.12"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105489/; classtype:trojan-activity;sid:81968589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.39.176"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105488/; classtype:trojan-activity;sid:81968588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.0.92"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105487/; classtype:trojan-activity;sid:81968587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.114.107"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105486/; classtype:trojan-activity;sid:81968586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.41.217"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105485/; classtype:trojan-activity;sid:81968585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.96.38.150"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105484/; classtype:trojan-activity;sid:81968584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.54.100"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105483/; classtype:trojan-activity;sid:81968583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.35.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105482/; classtype:trojan-activity;sid:81968582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.196.12"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105481/; classtype:trojan-activity;sid:81968581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.66.190"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105480/; classtype:trojan-activity;sid:81968580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.1.211"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105479/; classtype:trojan-activity;sid:81968579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.127.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105478/; classtype:trojan-activity;sid:81968578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.107.224"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105477/; classtype:trojan-activity;sid:81968577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.55.170"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105476/; classtype:trojan-activity;sid:81968576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.114.107"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105475/; classtype:trojan-activity;sid:81968575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.194.162.174"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105474/; classtype:trojan-activity;sid:81968574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.107.224"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105473/; classtype:trojan-activity;sid:81968573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.37.215"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105472/; classtype:trojan-activity;sid:81968572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.70.178"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105471/; classtype:trojan-activity;sid:81968571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.127.58"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105470/; classtype:trojan-activity;sid:81968570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.6.166"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105469/; classtype:trojan-activity;sid:81968569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.55.170"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105468/; classtype:trojan-activity;sid:81968568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.10.254"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105467/; classtype:trojan-activity;sid:81968567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.7.198"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105466/; classtype:trojan-activity;sid:81968566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.60.146"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105465/; classtype:trojan-activity;sid:81968565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.37.215"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105464/; classtype:trojan-activity;sid:81968564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.122.107"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105463/; classtype:trojan-activity;sid:81968563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.33.93"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105462/; classtype:trojan-activity;sid:81968562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.111.208"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105461/; classtype:trojan-activity;sid:81968561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.92.217.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105460/; classtype:trojan-activity;sid:81968560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.60.146"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105459/; classtype:trojan-activity;sid:81968559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.46.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105458/; classtype:trojan-activity;sid:81968558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.7.198"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105457/; classtype:trojan-activity;sid:81968557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.76.82"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105456/; classtype:trojan-activity;sid:81968556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.33.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105455/; classtype:trojan-activity;sid:81968555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.122.107"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105454/; classtype:trojan-activity;sid:81968554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.77.207"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105453/; classtype:trojan-activity;sid:81968553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.118.108"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105452/; classtype:trojan-activity;sid:81968552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.1.119"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105451/; classtype:trojan-activity;sid:81968551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.33.93"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105450/; classtype:trojan-activity;sid:81968550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.spc"; depth:23; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105449/; classtype:trojan-activity;sid:81968549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.111.208"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105448/; classtype:trojan-activity;sid:81968548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.10.220"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105447/; classtype:trojan-activity;sid:81968547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.46.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105446/; classtype:trojan-activity;sid:81968546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.15.126"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105445/; classtype:trojan-activity;sid:81968545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.97.252"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105444/; classtype:trojan-activity;sid:81968544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.33.173"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105443/; classtype:trojan-activity;sid:81968543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.150.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105442/; classtype:trojan-activity;sid:81968542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.61.105.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105440/; classtype:trojan-activity;sid:81968540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"172.32.2.189"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105441/; classtype:trojan-activity;sid:81968541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"221.14.47.225"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105439/; classtype:trojan-activity;sid:81968539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.68.98.101"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105437/; classtype:trojan-activity;sid:81968537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.132"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105438/; classtype:trojan-activity;sid:81968538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.55.113"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105436/; classtype:trojan-activity;sid:81968536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"213.163.113.79"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105435/; classtype:trojan-activity;sid:81968535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.179.166.1"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105434/; classtype:trojan-activity;sid:81968534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.106.118.217"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105432/; classtype:trojan-activity;sid:81968532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.213.40.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105433/; classtype:trojan-activity;sid:81968533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.43.244"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105430/; classtype:trojan-activity;sid:81968530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.210.156.117"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105431/; classtype:trojan-activity;sid:81968531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.59.149.125"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105429/; classtype:trojan-activity;sid:81968529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.112.111"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105428/; classtype:trojan-activity;sid:81968528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"213.163.118.227"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105426/; classtype:trojan-activity;sid:81968526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.51.109.16"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105427/; classtype:trojan-activity;sid:81968527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.97.238.92"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105423/; classtype:trojan-activity;sid:81968523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.229.144.192"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105424/; classtype:trojan-activity;sid:81968524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"124.131.42.98"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105425/; classtype:trojan-activity;sid:81968525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.1.119"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105422/; classtype:trojan-activity;sid:81968522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.7.184.32"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105421/; classtype:trojan-activity;sid:81968521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.201.195.237"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105420/; classtype:trojan-activity;sid:81968520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.126.112"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105419/; classtype:trojan-activity;sid:81968519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.mips"; depth:24; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105418/; classtype:trojan-activity;sid:81968518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.mpsl"; depth:24; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105416/; classtype:trojan-activity;sid:81968516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.arm6"; depth:24; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105417/; classtype:trojan-activity;sid:81968517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.arm"; depth:23; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105414/; classtype:trojan-activity;sid:81968514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.36.98"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105415/; classtype:trojan-activity;sid:81968515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.arm7"; depth:24; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105408/; classtype:trojan-activity;sid:81968508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.arm5"; depth:24; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105409/; classtype:trojan-activity;sid:81968509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.sh4"; depth:23; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105410/; classtype:trojan-activity;sid:81968510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.m68k"; depth:24; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105411/; classtype:trojan-activity;sid:81968511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.ppc"; depth:23; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105412/; classtype:trojan-activity;sid:81968512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vcimanagement.x86"; depth:23; endswith; nocase; http.host; content:"45.14.224.165"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105413/; classtype:trojan-activity;sid:81968513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.27.124.162"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105407/; classtype:trojan-activity;sid:81968507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.12.32"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105406/; classtype:trojan-activity;sid:81968506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.118.108"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105405/; classtype:trojan-activity;sid:81968505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.47.2"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105404/; classtype:trojan-activity;sid:81968504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/azora/azorult%20stealer.zip"; depth:35; endswith; nocase; http.host; content:"orlina.be"; depth:9; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105403/; classtype:trojan-activity;sid:81968503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.108.1"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105402/; classtype:trojan-activity;sid:81968502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.113.225"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105401/; classtype:trojan-activity;sid:81968501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.2.189"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105400/; classtype:trojan-activity;sid:81968500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.136.217"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105399/; classtype:trojan-activity;sid:81968499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.123.170"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105398/; classtype:trojan-activity;sid:81968498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.36.98"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105396/; classtype:trojan-activity;sid:81968496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.69.102"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105397/; classtype:trojan-activity;sid:81968497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.209.186.185"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105395/; classtype:trojan-activity;sid:81968495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.105.67"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105394/; classtype:trojan-activity;sid:81968494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.97.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105393/; classtype:trojan-activity;sid:81968493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.112.204"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105392/; classtype:trojan-activity;sid:81968492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.137.53.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105391/; classtype:trojan-activity;sid:81968491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.123.170"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105390/; classtype:trojan-activity;sid:81968490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.108.1"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105389/; classtype:trojan-activity;sid:81968489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.209.186.185"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105388/; classtype:trojan-activity;sid:81968488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.78.125"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105387/; classtype:trojan-activity;sid:81968487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.4.226"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105386/; classtype:trojan-activity;sid:81968486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/world.b1bins.sh"; depth:16; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105385/; classtype:trojan-activity;sid:81968485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105384/; classtype:trojan-activity;sid:81968484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105383/; classtype:trojan-activity;sid:81968483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105382/; classtype:trojan-activity;sid:81968482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.20.117"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105381/; classtype:trojan-activity;sid:81968481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105380/; classtype:trojan-activity;sid:81968480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105379/; classtype:trojan-activity;sid:81968479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105377/; classtype:trojan-activity;sid:81968477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.133.210.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105378/; classtype:trojan-activity;sid:81968478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105376/; classtype:trojan-activity;sid:81968476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105375/; classtype:trojan-activity;sid:81968475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.7.175"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105374/; classtype:trojan-activity;sid:81968474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105371/; classtype:trojan-activity;sid:81968471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105372/; classtype:trojan-activity;sid:81968472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.95.169.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105373/; classtype:trojan-activity;sid:81968473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.4.226"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105370/; classtype:trojan-activity;sid:81968470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.72.151"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105369/; classtype:trojan-activity;sid:81968469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.20.117"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105368/; classtype:trojan-activity;sid:81968468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105367/; classtype:trojan-activity;sid:81968467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.112.204"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105366/; classtype:trojan-activity;sid:81968466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.72.151"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105365/; classtype:trojan-activity;sid:81968465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.20.117"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105364/; classtype:trojan-activity;sid:81968464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.66.178"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105363/; classtype:trojan-activity;sid:81968463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105362/; classtype:trojan-activity;sid:81968462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.114.46"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105361/; classtype:trojan-activity;sid:81968461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.120.254"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105360/; classtype:trojan-activity;sid:81968460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.87.75"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105359/; classtype:trojan-activity;sid:81968459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.12.68"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105358/; classtype:trojan-activity;sid:81968458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.66.178"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105357/; classtype:trojan-activity;sid:81968457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.38.123.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105356/; classtype:trojan-activity;sid:81968456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.112.74"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105355/; classtype:trojan-activity;sid:81968455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.28.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105354/; classtype:trojan-activity;sid:81968454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.214.182"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105353/; classtype:trojan-activity;sid:81968453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.74.32.87"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105351/; classtype:trojan-activity;sid:81968451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.155.116.31"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105352/; classtype:trojan-activity;sid:81968452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.0.34.186"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105350/; classtype:trojan-activity;sid:81968450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.70.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105349/; classtype:trojan-activity;sid:81968449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.142.236.173"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105348/; classtype:trojan-activity;sid:81968448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"116.72.21.29"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105344/; classtype:trojan-activity;sid:81968444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.214.191.141"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105345/; classtype:trojan-activity;sid:81968445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.93.120"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105346/; classtype:trojan-activity;sid:81968446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.41.15.0"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105347/; classtype:trojan-activity;sid:81968447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.217.121.6"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105342/; classtype:trojan-activity;sid:81968442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.66.204"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105343/; classtype:trojan-activity;sid:81968443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"113.118.14.214"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105337/; classtype:trojan-activity;sid:81968437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.75.223"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105338/; classtype:trojan-activity;sid:81968438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.56.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105339/; classtype:trojan-activity;sid:81968439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.45.93.101"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105340/; classtype:trojan-activity;sid:81968440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.222.170.100"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105341/; classtype:trojan-activity;sid:81968441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.5.31.77"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105335/; classtype:trojan-activity;sid:81968435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.51.219.200"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105336/; classtype:trojan-activity;sid:81968436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.69.102"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_10; reference:url, urlhaus.abuse.ch/url/1105334/; classtype:trojan-activity;sid:81968434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.12.68"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105333/; classtype:trojan-activity;sid:81968433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.85.16"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105332/; classtype:trojan-activity;sid:81968432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.39.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105331/; classtype:trojan-activity;sid:81968431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.90.5"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105330/; classtype:trojan-activity;sid:81968430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.38.202"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105329/; classtype:trojan-activity;sid:81968429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.214.182"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105328/; classtype:trojan-activity;sid:81968428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.39.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105327/; classtype:trojan-activity;sid:81968427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.---.-.-.-.-.-.--------------------------------------..--....../...............................................................................................................dot"; depth:179; endswith; nocase; http.host; content:"107.173.219.80"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105326/; classtype:trojan-activity;sid:81968426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.59.49"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105325/; classtype:trojan-activity;sid:81968425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.116.149"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105324/; classtype:trojan-activity;sid:81968424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.196.48.182"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105323/; classtype:trojan-activity;sid:81968423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.49.242.69"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105322/; classtype:trojan-activity;sid:81968422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"189.201.250.184"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105321/; classtype:trojan-activity;sid:81968421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.113.174"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105320/; classtype:trojan-activity;sid:81968420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.39.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105319/; classtype:trojan-activity;sid:81968419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"211.49.242.69"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105318/; classtype:trojan-activity;sid:81968418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.86.177"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105317/; classtype:trojan-activity;sid:81968417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.116.149"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105316/; classtype:trojan-activity;sid:81968416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.5.36.209"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105315/; classtype:trojan-activity;sid:81968415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.113.174"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105314/; classtype:trojan-activity;sid:81968414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.98.214.138"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105313/; classtype:trojan-activity;sid:81968413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.118.129"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105312/; classtype:trojan-activity;sid:81968412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.51.124"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105311/; classtype:trojan-activity;sid:81968411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.27.125.109"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105310/; classtype:trojan-activity;sid:81968410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"39.115.0.100"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105309/; classtype:trojan-activity;sid:81968409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.246.131.194"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105308/; classtype:trojan-activity;sid:81968408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.97.248"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105307/; classtype:trojan-activity;sid:81968407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.62.78"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105306/; classtype:trojan-activity;sid:81968406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.112.230"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105305/; classtype:trojan-activity;sid:81968405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.193.91.191"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105304/; classtype:trojan-activity;sid:81968404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.84.220"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105303/; classtype:trojan-activity;sid:81968403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.238.97.104"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105302/; classtype:trojan-activity;sid:81968402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pemex.sh"; depth:9; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105301/; classtype:trojan-activity;sid:81968401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.29.31"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105300/; classtype:trojan-activity;sid:81968400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.182.102.201"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105299/; classtype:trojan-activity;sid:81968399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.126.219"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105298/; classtype:trojan-activity;sid:81968398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.62.78"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105297/; classtype:trojan-activity;sid:81968397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.97.248"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105296/; classtype:trojan-activity;sid:81968396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.112.230"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105295/; classtype:trojan-activity;sid:81968395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.101.143"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105294/; classtype:trojan-activity;sid:81968394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.163.219.101"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105293/; classtype:trojan-activity;sid:81968393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.29.31"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105292/; classtype:trojan-activity;sid:81968392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.39.14"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105291/; classtype:trojan-activity;sid:81968391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.217.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105290/; classtype:trojan-activity;sid:81968390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.1.60"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105289/; classtype:trojan-activity;sid:81968389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.157.161"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105288/; classtype:trojan-activity;sid:81968388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.126.219"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105287/; classtype:trojan-activity;sid:81968387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.64"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105286/; classtype:trojan-activity;sid:81968386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.0.41.219"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105285/; classtype:trojan-activity;sid:81968385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.193.134.184"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105284/; classtype:trojan-activity;sid:81968384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.99.220.59"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105283/; classtype:trojan-activity;sid:81968383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"183.11.70.25"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105281/; classtype:trojan-activity;sid:81968381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.219"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105282/; classtype:trojan-activity;sid:81968382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.243"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105278/; classtype:trojan-activity;sid:81968378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"111.92.81.73"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105279/; classtype:trojan-activity;sid:81968379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"81.231.157.72"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105280/; classtype:trojan-activity;sid:81968380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.85.208.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105277/; classtype:trojan-activity;sid:81968377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"95.9.111.51"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105276/; classtype:trojan-activity;sid:81968376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.252.176.211"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105275/; classtype:trojan-activity;sid:81968375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.179.173.109"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105274/; classtype:trojan-activity;sid:81968374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.117.24.62"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105273/; classtype:trojan-activity;sid:81968373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.71.203"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105272/; classtype:trojan-activity;sid:81968372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.87.208"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105268/; classtype:trojan-activity;sid:81968368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"163.125.159.99"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105269/; classtype:trojan-activity;sid:81968369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.105.48"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105270/; classtype:trojan-activity;sid:81968370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.16.26"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105271/; classtype:trojan-activity;sid:81968371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.28.21.220"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105267/; classtype:trojan-activity;sid:81968367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.8.30"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105266/; classtype:trojan-activity;sid:81968366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.112.181"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105265/; classtype:trojan-activity;sid:81968365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.118.10"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105264/; classtype:trojan-activity;sid:81968364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"66.91.21.31"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105263/; classtype:trojan-activity;sid:81968363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.41.217"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105262/; classtype:trojan-activity;sid:81968362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.arm5"; depth:10; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105258/; classtype:trojan-activity;sid:81968358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.sh4"; depth:9; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105259/; classtype:trojan-activity;sid:81968359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.arm7"; depth:10; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105260/; classtype:trojan-activity;sid:81968360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.ppc"; depth:9; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105261/; classtype:trojan-activity;sid:81968361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.x86"; depth:9; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105252/; classtype:trojan-activity;sid:81968352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.mips"; depth:10; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105253/; classtype:trojan-activity;sid:81968353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.arm"; depth:9; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105254/; classtype:trojan-activity;sid:81968354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.mpsl"; depth:10; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105255/; classtype:trojan-activity;sid:81968355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.arm6"; depth:10; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105256/; classtype:trojan-activity;sid:81968356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/xd.m68k"; depth:10; endswith; nocase; http.host; content:"198.23.133.218"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105257/; classtype:trojan-activity;sid:81968357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.217.15"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105251/; classtype:trojan-activity;sid:81968351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.154.146.60"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105250/; classtype:trojan-activity;sid:81968350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.72.197"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105249/; classtype:trojan-activity;sid:81968349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.17.149"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105248/; classtype:trojan-activity;sid:81968348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"113.234.188.251"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105247/; classtype:trojan-activity;sid:81968347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.48.113"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105246/; classtype:trojan-activity;sid:81968346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.48.161"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105245/; classtype:trojan-activity;sid:81968345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.2.189"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105244/; classtype:trojan-activity;sid:81968344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.8.119"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105243/; classtype:trojan-activity;sid:81968343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.64.5"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105242/; classtype:trojan-activity;sid:81968342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"66.91.21.31"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105240/; classtype:trojan-activity;sid:81968340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.103"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105241/; classtype:trojan-activity;sid:81968341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.114.126"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105239/; classtype:trojan-activity;sid:81968339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.8.30"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105238/; classtype:trojan-activity;sid:81968338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.27.115.8"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105237/; classtype:trojan-activity;sid:81968337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.244.11"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105236/; classtype:trojan-activity;sid:81968336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.48.161"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105235/; classtype:trojan-activity;sid:81968335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.40.85"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105234/; classtype:trojan-activity;sid:81968334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.46.208"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105233/; classtype:trojan-activity;sid:81968333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.32.79.29"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105232/; classtype:trojan-activity;sid:81968332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips.name"; depth:10; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105230/; classtype:trojan-activity;sid:81968330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paranojaa.sh"; depth:13; endswith; nocase; http.host; content:"45.95.169.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105231/; classtype:trojan-activity;sid:81968331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.127.46"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105229/; classtype:trojan-activity;sid:81968329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.133.171.111"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105228/; classtype:trojan-activity;sid:81968328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.201.112.50"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105227/; classtype:trojan-activity;sid:81968327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.192.227.213"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105226/; classtype:trojan-activity;sid:81968326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.40.85"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105225/; classtype:trojan-activity;sid:81968325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.46.208"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105224/; classtype:trojan-activity;sid:81968324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.26.148"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105223/; classtype:trojan-activity;sid:81968323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.65.216.145"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105222/; classtype:trojan-activity;sid:81968322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105221/; classtype:trojan-activity;sid:81968321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.192.227.213"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105220/; classtype:trojan-activity;sid:81968320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.54.201"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105219/; classtype:trojan-activity;sid:81968319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.62"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105218/; classtype:trojan-activity;sid:81968318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.114.126"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105217/; classtype:trojan-activity;sid:81968317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.74.113.205"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105216/; classtype:trojan-activity;sid:81968316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.2.162.196"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105215/; classtype:trojan-activity;sid:81968315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.116.75"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105214/; classtype:trojan-activity;sid:81968314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.42.141"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105213/; classtype:trojan-activity;sid:81968313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.213.12.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105212/; classtype:trojan-activity;sid:81968312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.4.225"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105211/; classtype:trojan-activity;sid:81968311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105210/; classtype:trojan-activity;sid:81968310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.85.16"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105209/; classtype:trojan-activity;sid:81968309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.106.238"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105208/; classtype:trojan-activity;sid:81968308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.73.84"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105207/; classtype:trojan-activity;sid:81968307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.101.81"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105206/; classtype:trojan-activity;sid:81968306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.251.60.231"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105205/; classtype:trojan-activity;sid:81968305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.252.183.57"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105204/; classtype:trojan-activity;sid:81968304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.112.254"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105203/; classtype:trojan-activity;sid:81968303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.126.201"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105202/; classtype:trojan-activity;sid:81968302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.74.113.205"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105201/; classtype:trojan-activity;sid:81968301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.68"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105200/; classtype:trojan-activity;sid:81968300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vs/uploads/visa.exe"; depth:20; endswith; nocase; http.host; content:"eservices.immigration.gov.lk"; depth:28; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105199/; classtype:trojan-activity;sid:81968299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.213.12.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105198/; classtype:trojan-activity;sid:81968298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.4.225"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105197/; classtype:trojan-activity;sid:81968297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.32.136.115"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105196/; classtype:trojan-activity;sid:81968296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.215.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105195/; classtype:trojan-activity;sid:81968295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.106.238"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105194/; classtype:trojan-activity;sid:81968294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"180.188.241.184"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105193/; classtype:trojan-activity;sid:81968293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.69.21"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105192/; classtype:trojan-activity;sid:81968292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"77.43.128.57"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105190/; classtype:trojan-activity;sid:81968290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.108.129.190"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105191/; classtype:trojan-activity;sid:81968291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.213.110.214"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105188/; classtype:trojan-activity;sid:81968288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.1"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105189/; classtype:trojan-activity;sid:81968289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.11.202.178"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105185/; classtype:trojan-activity;sid:81968285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"61.52.98.43"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105186/; classtype:trojan-activity;sid:81968286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.127.114.242"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105187/; classtype:trojan-activity;sid:81968287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.43.119.111"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105184/; classtype:trojan-activity;sid:81968284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"118.79.218.213"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105183/; classtype:trojan-activity;sid:81968283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.44.56"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105178/; classtype:trojan-activity;sid:81968278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"61.3.147.237"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105179/; classtype:trojan-activity;sid:81968279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"61.52.79.192"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105180/; classtype:trojan-activity;sid:81968280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.233.122.167"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105181/; classtype:trojan-activity;sid:81968281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.99.249"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105182/; classtype:trojan-activity;sid:81968282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.194.75.109"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105176/; classtype:trojan-activity;sid:81968276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.68.35"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105177/; classtype:trojan-activity;sid:81968277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"220.130.71.11"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105175/; classtype:trojan-activity;sid:81968275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.92.131"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105174/; classtype:trojan-activity;sid:81968274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.35.114"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105173/; classtype:trojan-activity;sid:81968273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.70.9"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105172/; classtype:trojan-activity;sid:81968272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.101.147"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105171/; classtype:trojan-activity;sid:81968271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.222.162.254"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105170/; classtype:trojan-activity;sid:81968270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.236.215.90"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105169/; classtype:trojan-activity;sid:81968269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.90.244.69"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105168/; classtype:trojan-activity;sid:81968268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.92.131"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105167/; classtype:trojan-activity;sid:81968267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"189.201.250.184"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105166/; classtype:trojan-activity;sid:81968266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.32.188.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105165/; classtype:trojan-activity;sid:81968265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.222.162.254"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105164/; classtype:trojan-activity;sid:81968264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.32.188.66"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105163/; classtype:trojan-activity;sid:81968263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/patron/poeybsr.ibuyafen"; depth:24; endswith; nocase; http.host; content:"hometownchick.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105161/; classtype:trojan-activity;sid:81968261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/patron/ibufen.php"; depth:18; endswith; nocase; http.host; content:"hometownchick.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105162/; classtype:trojan-activity;sid:81968262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.202.70.128"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105160/; classtype:trojan-activity;sid:81968260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.30.251"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105159/; classtype:trojan-activity;sid:81968259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.32.136.115"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105158/; classtype:trojan-activity;sid:81968258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.125.149"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105157/; classtype:trojan-activity;sid:81968257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.32.28.18"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105156/; classtype:trojan-activity;sid:81968256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/49zdi37stvvyepu/payment%20copy.tbz2|3f|dl=1"; depth:46; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105155/; classtype:trojan-activity;sid:81968255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.14.36"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105154/; classtype:trojan-activity;sid:81968254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.213.42.141"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105153/; classtype:trojan-activity;sid:81968253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.96.136"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105152/; classtype:trojan-activity;sid:81968252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.112.74"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105151/; classtype:trojan-activity;sid:81968251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.32.28.18"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105150/; classtype:trojan-activity;sid:81968250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.88.133.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105149/; classtype:trojan-activity;sid:81968249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/old/svchost.exe"; depth:19; endswith; nocase; http.host; content:"34.126.93.163"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105148/; classtype:trojan-activity;sid:81968248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.14.36"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105147/; classtype:trojan-activity;sid:81968247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.99.138.111"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105146/; classtype:trojan-activity;sid:81968246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.186.94.166"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105145/; classtype:trojan-activity;sid:81968245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.96.136"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105144/; classtype:trojan-activity;sid:81968244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.23.68"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105143/; classtype:trojan-activity;sid:81968243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.6.23"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105142/; classtype:trojan-activity;sid:81968242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.76.33"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105141/; classtype:trojan-activity;sid:81968241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windoc/grace/tepic.exe"; depth:23; endswith; nocase; http.host; content:"thebabybasket.co.uk"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105140/; classtype:trojan-activity;sid:81968240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.202.71.94"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105139/; classtype:trojan-activity;sid:81968239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.53.209"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105138/; classtype:trojan-activity;sid:81968238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.64.127"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105137/; classtype:trojan-activity;sid:81968237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.6.23"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105136/; classtype:trojan-activity;sid:81968236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eth1.exe"; depth:9; endswith; nocase; http.host; content:"45.144.225.135"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105135/; classtype:trojan-activity;sid:81968235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/godeth.exe"; depth:11; endswith; nocase; http.host; content:"45.144.225.135"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105134/; classtype:trojan-activity;sid:81968234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.76.33"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105133/; classtype:trojan-activity;sid:81968233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.242.209.38"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105132/; classtype:trojan-activity;sid:81968232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"189.201.250.133"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105131/; classtype:trojan-activity;sid:81968231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.202.71.94"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105130/; classtype:trojan-activity;sid:81968230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.254.210.69"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105129/; classtype:trojan-activity;sid:81968229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.55.120"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105126/; classtype:trojan-activity;sid:81968226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.42.98.149"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105127/; classtype:trojan-activity;sid:81968227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.41.25.102"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105128/; classtype:trojan-activity;sid:81968228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.135"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105125/; classtype:trojan-activity;sid:81968225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.157.66.105"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105124/; classtype:trojan-activity;sid:81968224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.119.105"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105120/; classtype:trojan-activity;sid:81968220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.205.41"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105121/; classtype:trojan-activity;sid:81968221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.155.101.212"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105122/; classtype:trojan-activity;sid:81968222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.67.180"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105123/; classtype:trojan-activity;sid:81968223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.225.19.198"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105119/; classtype:trojan-activity;sid:81968219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"61.3.152.205"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105118/; classtype:trojan-activity;sid:81968218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.9.223"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105110/; classtype:trojan-activity;sid:81968210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"39.79.123.189"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105111/; classtype:trojan-activity;sid:81968211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.44.234.241"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105112/; classtype:trojan-activity;sid:81968212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.102.217"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105113/; classtype:trojan-activity;sid:81968213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.232.228.61"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105114/; classtype:trojan-activity;sid:81968214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"119.185.15.159"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105115/; classtype:trojan-activity;sid:81968215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.249.23.189"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105116/; classtype:trojan-activity;sid:81968216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.85.239.58"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105117/; classtype:trojan-activity;sid:81968217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.60.112.137"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105109/; classtype:trojan-activity;sid:81968209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.182.146"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105108/; classtype:trojan-activity;sid:81968208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.10.96"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105107/; classtype:trojan-activity;sid:81968207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.215.103.223"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105106/; classtype:trojan-activity;sid:81968206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.127.90"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105105/; classtype:trojan-activity;sid:81968205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.254.210.69"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105104/; classtype:trojan-activity;sid:81968204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.182.146"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105103/; classtype:trojan-activity;sid:81968203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"84.215.103.223"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105102/; classtype:trojan-activity;sid:81968202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notepad.exe"; depth:12; endswith; nocase; http.host; content:"45.144.225.135"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105101/; classtype:trojan-activity;sid:81968201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.60.112.137"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105100/; classtype:trojan-activity;sid:81968200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.96.184"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105099/; classtype:trojan-activity;sid:81968199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.10.96"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105098/; classtype:trojan-activity;sid:81968198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.127.90"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105097/; classtype:trojan-activity;sid:81968197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ind.html"; depth:9; endswith; nocase; http.host; content:"runolfsson-jayde07s.ru.com"; depth:26; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105096/; classtype:trojan-activity;sid:81968196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ind.html"; depth:9; endswith; nocase; http.host; content:"cremin-ian07u.ru.com"; depth:20; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105095/; classtype:trojan-activity;sid:81968195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.202.71.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105094/; classtype:trojan-activity;sid:81968194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds/0604..gif"; depth:13; endswith; nocase; http.host; content:"innermetransformation.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105093/; classtype:trojan-activity;sid:81968193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds/0604.gif"; depth:12; endswith; nocase; http.host; content:"shalombaptistchapel.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105092/; classtype:trojan-activity;sid:81968192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ds/0604.gif"; depth:12; endswith; nocase; http.host; content:"cesiroinsurance.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105091/; classtype:trojan-activity;sid:81968191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.34.115"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105090/; classtype:trojan-activity;sid:81968190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.4.120"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105089/; classtype:trojan-activity;sid:81968189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.202.71.148"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105088/; classtype:trojan-activity;sid:81968188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.110.195"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105087/; classtype:trojan-activity;sid:81968187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.77.207"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105086/; classtype:trojan-activity;sid:81968186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.226.209"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105085/; classtype:trojan-activity;sid:81968185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.214.48.57"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105084/; classtype:trojan-activity;sid:81968184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.34.115"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105083/; classtype:trojan-activity;sid:81968183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.253.74"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105082/; classtype:trojan-activity;sid:81968182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.110.195"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105081/; classtype:trojan-activity;sid:81968181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loki.exe"; depth:9; endswith; nocase; http.host; content:"covid19vaccinations.hopto.org"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105080/; classtype:trojan-activity;sid:81968180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sheng%20exe/svch.exe"; depth:21; endswith; nocase; http.host; content:"107.173.219.80"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105078/; classtype:trojan-activity;sid:81968178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sheng%20exe/vbc.exe"; depth:20; endswith; nocase; http.host; content:"107.173.219.80"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105079/; classtype:trojan-activity;sid:81968179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crc/pilentotioprom.exe"; depth:23; endswith; nocase; http.host; content:"www.smartzonuae.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105077/; classtype:trojan-activity;sid:81968177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.75.197.222"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105076/; classtype:trojan-activity;sid:81968176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.spc"; depth:25; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105075/; classtype:trojan-activity;sid:81968175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.93.42"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105074/; classtype:trojan-activity;sid:81968174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.84.106.91"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105073/; classtype:trojan-activity;sid:81968173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.194.164.127"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105072/; classtype:trojan-activity;sid:81968172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.83.113.39"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105071/; classtype:trojan-activity;sid:81968171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.209.126.25"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105070/; classtype:trojan-activity;sid:81968170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.php|3f|file=lv.exe"; depth:28; endswith; nocase; http.host; content:"esimu07.top"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105068/; classtype:trojan-activity;sid:81968168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.exe"; depth:10; endswith; nocase; http.host; content:"135.181.170.173"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105069/; classtype:trojan-activity;sid:81968169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.82.73"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105067/; classtype:trojan-activity;sid:81968167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.13.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105066/; classtype:trojan-activity;sid:81968166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winhace/orgd.exe"; depth:17; endswith; nocase; http.host; content:"13.114.247.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105065/; classtype:trojan-activity;sid:81968165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winhace/xlsf.exe"; depth:17; endswith; nocase; http.host; content:"13.114.247.134"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105064/; classtype:trojan-activity;sid:81968164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1l5urks5wzib2zcb16bfsk76bjrdsejms"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105063/; classtype:trojan-activity;sid:81968163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1bwtwpqmeqdvctbcqcc2gil5xzjf28c0z"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105062/; classtype:trojan-activity;sid:81968162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=17pl-4i0otjbyxwrtrdagxxebirdh2wl8"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105060/; classtype:trojan-activity;sid:81968160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ljz-kmuibyiehba6blw37guu_yr799y0"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105061/; classtype:trojan-activity;sid:81968161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/host_bhfwkplaw239.bin"; depth:22; endswith; nocase; http.host; content:"bizmodeltraining.com"; depth:20; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105059/; classtype:trojan-activity;sid:81968159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.155.116.175"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105058/; classtype:trojan-activity;sid:81968158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.43.24.24"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105055/; classtype:trojan-activity;sid:81968155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.138.157"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105056/; classtype:trojan-activity;sid:81968156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"176.67.117.69"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105057/; classtype:trojan-activity;sid:81968157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"101.0.41.15"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105054/; classtype:trojan-activity;sid:81968154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"27.6.196.158"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105053/; classtype:trojan-activity;sid:81968153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105052/; classtype:trojan-activity;sid:81968152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.13.54"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105050/; classtype:trojan-activity;sid:81968150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"163.204.223.202"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105051/; classtype:trojan-activity;sid:81968151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.33.130"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105049/; classtype:trojan-activity;sid:81968149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.63.138.143"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105048/; classtype:trojan-activity;sid:81968148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"211.72.91.222"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105045/; classtype:trojan-activity;sid:81968145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"59.127.182.226"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105046/; classtype:trojan-activity;sid:81968146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"90.117.173.166"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105047/; classtype:trojan-activity;sid:81968147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.123.199.231"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105042/; classtype:trojan-activity;sid:81968142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.121.8"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105043/; classtype:trojan-activity;sid:81968143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.6.225"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105044/; classtype:trojan-activity;sid:81968144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"88.249.13.164"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105040/; classtype:trojan-activity;sid:81968140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.204.80"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105041/; classtype:trojan-activity;sid:81968141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"125.47.58.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105036/; classtype:trojan-activity;sid:81968136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"115.59.218.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105037/; classtype:trojan-activity;sid:81968137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"112.30.1.55"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105038/; classtype:trojan-activity;sid:81968138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.59.78.212"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105039/; classtype:trojan-activity;sid:81968139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"219.157.37.210"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105034/; classtype:trojan-activity;sid:81968134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"27.45.36.41"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105035/; classtype:trojan-activity;sid:81968135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.31.216.207"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105033/; classtype:trojan-activity;sid:81968133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.75.197.222"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105032/; classtype:trojan-activity;sid:81968132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.194.164.127"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105031/; classtype:trojan-activity;sid:81968131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.117.11.46"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105030/; classtype:trojan-activity;sid:81968130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.34.149"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105029/; classtype:trojan-activity;sid:81968129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.53.79"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105028/; classtype:trojan-activity;sid:81968128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.1.149"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105027/; classtype:trojan-activity;sid:81968127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105026/; classtype:trojan-activity;sid:81968126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.174.248"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105025/; classtype:trojan-activity;sid:81968125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.92.216.23"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105024/; classtype:trojan-activity;sid:81968124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cbois.exe"; depth:10; endswith; nocase; http.host; content:"45.134.225.191"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105023/; classtype:trojan-activity;sid:81968123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.29.78"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105022/; classtype:trojan-activity;sid:81968122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/intercom.exe"; depth:13; endswith; nocase; http.host; content:"78.138.98.134"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105021/; classtype:trojan-activity;sid:81968121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downfiles/lv.exe"; depth:17; endswith; nocase; http.host; content:"esimu07.top"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105020/; classtype:trojan-activity;sid:81968120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"80.246.81.218"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105019/; classtype:trojan-activity;sid:81968119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"180.188.236.109"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105018/; classtype:trojan-activity;sid:81968118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.246"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105016/; classtype:trojan-activity;sid:81968116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.164.139.232"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105017/; classtype:trojan-activity;sid:81968117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.11.195.6"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105015/; classtype:trojan-activity;sid:81968115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"120.85.197.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105013/; classtype:trojan-activity;sid:81968113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.96.68"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105014/; classtype:trojan-activity;sid:81968114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.94.69"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105012/; classtype:trojan-activity;sid:81968112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.123.66"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105009/; classtype:trojan-activity;sid:81968109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.239.239.80"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105010/; classtype:trojan-activity;sid:81968110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"41.86.18.133"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105011/; classtype:trojan-activity;sid:81968111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.208.132.151"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105008/; classtype:trojan-activity;sid:81968108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.252.202.97"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105006/; classtype:trojan-activity;sid:81968106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.201.207.169"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105007/; classtype:trojan-activity;sid:81968107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.5.31.177"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105002/; classtype:trojan-activity;sid:81968102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.248.149.231"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105003/; classtype:trojan-activity;sid:81968103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"59.96.37.128"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105004/; classtype:trojan-activity;sid:81968104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.241.66.243"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105005/; classtype:trojan-activity;sid:81968105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.194.149.71"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105001/; classtype:trojan-activity;sid:81968101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1105000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.132.79"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1105000/; classtype:trojan-activity;sid:81968100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.47.2"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104999/; classtype:trojan-activity;sid:81968099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.1.149"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104998/; classtype:trojan-activity;sid:81968098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/register.jpg"; depth:13; endswith; nocase; http.host; content:"institto.casa"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104997/; classtype:trojan-activity;sid:81968097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.10.221"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104996/; classtype:trojan-activity;sid:81968096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.29.78"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104995/; classtype:trojan-activity;sid:81968095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"73.31.139.77"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104994/; classtype:trojan-activity;sid:81968094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.106.160"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104993/; classtype:trojan-activity;sid:81968093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.189.154"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104992/; classtype:trojan-activity;sid:81968092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.4.90"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104991/; classtype:trojan-activity;sid:81968091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.24.6.123"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104990/; classtype:trojan-activity;sid:81968090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.17.174"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104989/; classtype:trojan-activity;sid:81968089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.51.177"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104988/; classtype:trojan-activity;sid:81968088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.arm6"; depth:26; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104987/; classtype:trojan-activity;sid:81968087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.arm"; depth:25; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104983/; classtype:trojan-activity;sid:81968083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.mips"; depth:26; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104984/; classtype:trojan-activity;sid:81968084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.x86"; depth:25; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104985/; classtype:trojan-activity;sid:81968085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.sh4"; depth:25; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104986/; classtype:trojan-activity;sid:81968086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.27.83.182"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104982/; classtype:trojan-activity;sid:81968082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.mpsl"; depth:26; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104977/; classtype:trojan-activity;sid:81968077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.m68k"; depth:26; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104978/; classtype:trojan-activity;sid:81968078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.ppc"; depth:25; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104979/; classtype:trojan-activity;sid:81968079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.arm5"; depth:26; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104980/; classtype:trojan-activity;sid:81968080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pandoras_box/pandora.arm7"; depth:26; endswith; nocase; http.host; content:"107.175.33.48"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104981/; classtype:trojan-activity;sid:81968081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.189.154"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104976/; classtype:trojan-activity;sid:81968076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ob1.exe"; depth:8; endswith; nocase; http.host; content:"45.134.225.191"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104975/; classtype:trojan-activity;sid:81968075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/doc_details.exe"; depth:21; endswith; nocase; http.host; content:"officesharefile.online"; depth:22; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104974/; classtype:trojan-activity;sid:81968074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setoffice_file.php"; depth:19; endswith; nocase; http.host; content:"officesharefile.online"; depth:22; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104972/; classtype:trojan-activity;sid:81968072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"officesharefile.online"; depth:22; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104973/; classtype:trojan-activity;sid:81968073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.90"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104970/; classtype:trojan-activity;sid:81968070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.89.10.147"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104969/; classtype:trojan-activity;sid:81968069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.spc"; depth:21; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104968/; classtype:trojan-activity;sid:81968068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.59.26"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104966/; classtype:trojan-activity;sid:81968066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.sh4"; depth:21; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104967/; classtype:trojan-activity;sid:81968067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.m68k"; depth:22; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104965/; classtype:trojan-activity;sid:81968065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.24.6.123"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104964/; classtype:trojan-activity;sid:81968064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.arm5"; depth:22; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104963/; classtype:trojan-activity;sid:81968063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.mpsl"; depth:22; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104959/; classtype:trojan-activity;sid:81968059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.arm7"; depth:22; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104960/; classtype:trojan-activity;sid:81968060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.arm6"; depth:22; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104961/; classtype:trojan-activity;sid:81968061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.arm"; depth:21; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104962/; classtype:trojan-activity;sid:81968062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.ppc"; depth:21; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104958/; classtype:trojan-activity;sid:81968058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.51.177"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104957/; classtype:trojan-activity;sid:81968057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.mips"; depth:22; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104956/; classtype:trojan-activity;sid:81968056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.6.243.135"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104955/; classtype:trojan-activity;sid:81968055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.27.83.182"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104954/; classtype:trojan-activity;sid:81968054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.59.26"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104953/; classtype:trojan-activity;sid:81968053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.40.209"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104952/; classtype:trojan-activity;sid:81968052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.37.149"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104951/; classtype:trojan-activity;sid:81968051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.4.61"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104950/; classtype:trojan-activity;sid:81968050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.126.71"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104949/; classtype:trojan-activity;sid:81968049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.119.37"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104948/; classtype:trojan-activity;sid:81968048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"93.173.235.110"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104947/; classtype:trojan-activity;sid:81968047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.208.150"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104946/; classtype:trojan-activity;sid:81968046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.30.4.61"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104945/; classtype:trojan-activity;sid:81968045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmaowtf/loligang.x86"; depth:21; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104943/; classtype:trojan-activity;sid:81968043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pemex.sh"; depth:9; endswith; nocase; http.host; content:"156.234.211.198"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104944/; classtype:trojan-activity;sid:81968044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123"; depth:4; endswith; nocase; http.host; content:"154.204.28.39"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104942/; classtype:trojan-activity;sid:81968042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hilix.mips"; depth:16; endswith; nocase; http.host; content:"159.203.44.33"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104941/; classtype:trojan-activity;sid:81968041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.37.149"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104940/; classtype:trojan-activity;sid:81968040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgcdoc/winlog.exe"; depth:18; endswith; nocase; http.host; content:"zgchgwsdycloudgowsaq.dns.army"; depth:29; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104939/; classtype:trojan-activity;sid:81968039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.75.129"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104938/; classtype:trojan-activity;sid:81968038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.163.126.71"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104937/; classtype:trojan-activity;sid:81968037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.172.176.41"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104936/; classtype:trojan-activity;sid:81968036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.163.115.104"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104935/; classtype:trojan-activity;sid:81968035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.49.83"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104934/; classtype:trojan-activity;sid:81968034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.90.238"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104933/; classtype:trojan-activity;sid:81968033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.212"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104932/; classtype:trojan-activity;sid:81968032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.5.47.65"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104929/; classtype:trojan-activity;sid:81968029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.54.1"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104930/; classtype:trojan-activity;sid:81968030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"45.229.55.112"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104931/; classtype:trojan-activity;sid:81968031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"111.92.80.176"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104927/; classtype:trojan-activity;sid:81968027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.123.128"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104928/; classtype:trojan-activity;sid:81968028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.242.210.100"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104926/; classtype:trojan-activity;sid:81968026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.48.194"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104925/; classtype:trojan-activity;sid:81968025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.228.39.2"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104924/; classtype:trojan-activity;sid:81968024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.4.69"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104923/; classtype:trojan-activity;sid:81968023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.196.49.113"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104919/; classtype:trojan-activity;sid:81968019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"180.158.12.27"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104920/; classtype:trojan-activity;sid:81968020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.94.227"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104921/; classtype:trojan-activity;sid:81968021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.45.37.233"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104922/; classtype:trojan-activity;sid:81968022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.238.176.105"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104918/; classtype:trojan-activity;sid:81968018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"183.188.144.204"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104917/; classtype:trojan-activity;sid:81968017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"222.141.21.102"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104916/; classtype:trojan-activity;sid:81968016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"123.11.180.144"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104914/; classtype:trojan-activity;sid:81968014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.222.164.1"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104915/; classtype:trojan-activity;sid:81968015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.175.47.11"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104913/; classtype:trojan-activity;sid:81968013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.36.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104912/; classtype:trojan-activity;sid:81968012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.172.176.41"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104911/; classtype:trojan-activity;sid:81968011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.122.60"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104910/; classtype:trojan-activity;sid:81968010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.49.83"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104909/; classtype:trojan-activity;sid:81968009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.90.238"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104908/; classtype:trojan-activity;sid:81968008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.199.2"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104907/; classtype:trojan-activity;sid:81968007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.36.250"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104906/; classtype:trojan-activity;sid:81968006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.89.97"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104905/; classtype:trojan-activity;sid:81968005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.174.72.121"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104904/; classtype:trojan-activity;sid:81968004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.111.131.236"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104903/; classtype:trojan-activity;sid:81968003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.222.165.117"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104902/; classtype:trojan-activity;sid:81968002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.41.27"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104901/; classtype:trojan-activity;sid:81968001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.199.2"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104900/; classtype:trojan-activity;sid:81968000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"139.190.238.71"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104899/; classtype:trojan-activity;sid:81967999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.5.36.53"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104898/; classtype:trojan-activity;sid:81967998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.91.163"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104897/; classtype:trojan-activity;sid:81967997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.201.193.84"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104896/; classtype:trojan-activity;sid:81967996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.222.165.117"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104895/; classtype:trojan-activity;sid:81967995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"202.164.139.128"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104893/; classtype:trojan-activity;sid:81967993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"39.90.159.141"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104894/; classtype:trojan-activity;sid:81967994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"103.217.123.127"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104892/; classtype:trojan-activity;sid:81967992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"123.98.74.3"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104891/; classtype:trojan-activity;sid:81967991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"180.188.241.100"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104890/; classtype:trojan-activity;sid:81967990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"45.229.54.159"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104889/; classtype:trojan-activity;sid:81967989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"117.215.215.3"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104888/; classtype:trojan-activity;sid:81967988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"45.229.54.25"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104886/; classtype:trojan-activity;sid:81967986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"222.243.14.67"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104887/; classtype:trojan-activity;sid:81967987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"59.93.17.44"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104885/; classtype:trojan-activity;sid:81967985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"178.175.115.60"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104884/; classtype:trojan-activity;sid:81967984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"125.42.120.200"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104883/; classtype:trojan-activity;sid:81967983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"45.229.54.144"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104879/; classtype:trojan-activity;sid:81967979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"95.32.137.198"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104880/; classtype:trojan-activity;sid:81967980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"103.217.121.48"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104881/; classtype:trojan-activity;sid:81967981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"45.229.54.169"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104882/; classtype:trojan-activity;sid:81967982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"202.164.138.71"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104878/; classtype:trojan-activity;sid:81967978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"27.213.66.112"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104877/; classtype:trojan-activity;sid:81967977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.88.194"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104876/; classtype:trojan-activity;sid:81967976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"112.30.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104875/; classtype:trojan-activity;sid:81967975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"125.42.10.206"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104874/; classtype:trojan-activity;sid:81967974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"178.175.1.173"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104873/; classtype:trojan-activity;sid:81967973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"115.61.111.19"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104872/; classtype:trojan-activity;sid:81967972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"178.175.59.158"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104871/; classtype:trojan-activity;sid:81967971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"178.175.21.43"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104869/; classtype:trojan-activity;sid:81967969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"118.79.167.198"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104870/; classtype:trojan-activity;sid:81967970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m+"; depth:8; endswith; nocase; http.host; content:"59.97.170.125"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104868/; classtype:trojan-activity;sid:81967968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"89.237.84.19"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104867/; classtype:trojan-activity;sid:81967967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.35.152"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104866/; classtype:trojan-activity;sid:81967966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plesk-site-preview/web106-9872.gh.schleyer-edv.space/https/51.89.77.2/linkminer.exe"; depth:84; endswith; nocase; http.host; content:"51.89.77.2"; depth:10; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104865/; classtype:trojan-activity;sid:81967965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.91.163"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104864/; classtype:trojan-activity;sid:81967964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/penelop/5.exe"; depth:20; endswith; nocase; http.host; content:"jfas.top"; depth:8; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104860/; classtype:trojan-activity;sid:81967960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1/dubi.exe"; depth:17; endswith; nocase; http.host; content:"i.n.t.e.rloca.l.qs.j.y@jfas.top"; depth:31; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104861/; classtype:trojan-activity;sid:81967961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/cost/5.exe"; depth:17; endswith; nocase; http.host; content:"i.n.t.e.rloca.l.qs.j.y@jfas.top"; depth:31; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104862/; classtype:trojan-activity;sid:81967962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/penelop/updatewin1.exe"; depth:29; endswith; nocase; http.host; content:"jfas.top"; depth:8; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104863/; classtype:trojan-activity;sid:81967963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/cost/5.exe"; depth:17; endswith; nocase; http.host; content:"jfas.top"; depth:8; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104857/; classtype:trojan-activity;sid:81967957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1/dubi.exe"; depth:17; endswith; nocase; http.host; content:"jfas.top"; depth:8; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104858/; classtype:trojan-activity;sid:81967958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/iner/5.exe"; depth:17; endswith; nocase; http.host; content:"jfas.top"; depth:8; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104859/; classtype:trojan-activity;sid:81967959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.174.72.121"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104856/; classtype:trojan-activity;sid:81967956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.201.193.84"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104855/; classtype:trojan-activity;sid:81967955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.101.68"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104854/; classtype:trojan-activity;sid:81967954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.177.36.88"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104853/; classtype:trojan-activity;sid:81967953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.229.53.148"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104852/; classtype:trojan-activity;sid:81967952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.30.1.60"; depth:11; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104851/; classtype:trojan-activity;sid:81967951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/sparc"; depth:12; endswith; nocase; http.host; content:"185.224.129.235"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104850/; classtype:trojan-activity;sid:81967950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.201.31"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104849/; classtype:trojan-activity;sid:81967949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/powerpc"; depth:14; endswith; nocase; http.host; content:"185.224.129.235"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104848/; classtype:trojan-activity;sid:81967948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/powerpc-440fp"; depth:20; endswith; nocase; http.host; content:"185.224.129.235"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104847/; classtype:trojan-activity;sid:81967947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/i586"; depth:11; endswith; nocase; http.host; content:"185.224.129.235"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104845/; classtype:trojan-activity;sid:81967945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/m68k"; depth:11; endswith; nocase; http.host; content:"185.224.129.235"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104846/; classtype:trojan-activity;sid:81967946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/sh4"; depth:10; endswith; nocase; http.host; content:"185.224.129.235"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104844/; classtype:trojan-activity;sid:81967944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/i686"; depth:11; endswith; nocase; http.host; content:"185.224.129.235"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104843/; classtype:trojan-activity;sid:81967943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.150.238.11"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104842/; classtype:trojan-activity;sid:81967942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.164.112.139"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104841/; classtype:trojan-activity;sid:81967941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.15.155"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104840/; classtype:trojan-activity;sid:81967940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.177.36.88"; depth:12; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104839/; classtype:trojan-activity;sid:81967939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.15.155"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104838/; classtype:trojan-activity;sid:81967938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.98.21"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104837/; classtype:trojan-activity;sid:81967937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.213.45.70"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104836/; classtype:trojan-activity;sid:81967936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.118.109"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104835/; classtype:trojan-activity;sid:81967935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.50.102"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104834/; classtype:trojan-activity;sid:81967934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.124.108"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104833/; classtype:trojan-activity;sid:81967933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.162.98.216"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104832/; classtype:trojan-activity;sid:81967932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrgjwrgjwrg246356356356/harm7"; depth:30; endswith; nocase; http.host; content:"108.174.60.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104831/; classtype:trojan-activity;sid:81967931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrgjwrgjwrg246356356356/harm"; depth:29; endswith; nocase; http.host; content:"108.174.60.10"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104830/; classtype:trojan-activity;sid:81967930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.175.70.207"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104829/; classtype:trojan-activity;sid:81967929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.172.176.30"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104828/; classtype:trojan-activity;sid:81967928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.175.115.106"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104827/; classtype:trojan-activity;sid:81967927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.225.29"; depth:14; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104826/; classtype:trojan-activity;sid:81967926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/mips"; depth:9; endswith; nocase; http.host; content:"37.49.230.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104825/; classtype:trojan-activity;sid:81967925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/mpsl"; depth:9; endswith; nocase; http.host; content:"37.49.230.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104824/; classtype:trojan-activity;sid:81967924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/arm6"; depth:9; endswith; nocase; http.host; content:"37.49.230.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104823/; classtype:trojan-activity;sid:81967923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/ppc"; depth:8; endswith; nocase; http.host; content:"37.49.230.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104822/; classtype:trojan-activity;sid:81967922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/m68k"; depth:9; endswith; nocase; http.host; content:"37.49.230.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104820/; classtype:trojan-activity;sid:81967920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/arm"; depth:8; endswith; nocase; http.host; content:"37.49.230.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104821/; classtype:trojan-activity;sid:81967921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/x86"; depth:8; endswith; nocase; http.host; content:"37.49.230.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104818/; classtype:trojan-activity;sid:81967918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y91/sh4"; depth:8; endswith; nocase; http.host; content:"37.49.230.229"; depth:13; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104819/; classtype:trojan-activity;sid:81967919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/armv4l"; depth:13; endswith; nocase; http.host; content:"185.224.129.224"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104817/; classtype:trojan-activity;sid:81967917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/mipsel"; depth:13; endswith; nocase; http.host; content:"185.224.129.224"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104816/; classtype:trojan-activity;sid:81967916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/armv7l"; depth:13; endswith; nocase; http.host; content:"185.224.129.224"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104815/; classtype:trojan-activity;sid:81967915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1104814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simps/mips"; depth:11; endswith; nocase; http.host; content:"185.224.129.224"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_09; reference:url, urlhaus.abuse.ch/url/1104814/; classtype:trojan-activity;sid:81967914; rev:1;) alert http